DOSBlock is a unix bash script for monitoring and banning IPs that try to exploit your server. It works along with Cron and the popular APF-Firewall to help fight DDoS attacks and high traffic caused by hijacked client computers.

A Distributed-Denial-of-Service ( DDoS ) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system, in this case, your server and the people trying to access it. This post will show you how to check for high number of incoming connection from within your server and provide you with a script that will monitor your incoming connections and temporarily block any IPs that exceed a specified number of connection per minute.

APF Firewall

If you haven't done so already, start by installing APF on your server. I wont go too much into detail on how to configure it, you can find all the info you need by doing a Google search. Here's one way to get it installed, SSH login to your server as root and..

// go to a temp downloads folder
cd /root/downloads

// download APF 
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz 

// unpack the files 
tar -xvzf apf-current.tar.gz 

// go into the APF folder, enter your version
cd apf-0.0.0-0  

// run the installer 
./install.sh 

The NetStat Command

netstat is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. If you are not familiar with netstat, have a look at the Wiki page for more info on it.

Sorting and Showing Connected IPs

netstat -ntu | awk '{print $5}' | grep -o '([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | sort -g | uniq -c | sort -nr

DOSBlock is based on the command above. It uses netstat to show a sorted list of connected IPs and the number of connections for each one. The script then checks the number of connections for each IP against a number you specify and uses APF to block the IP temporarily or permanently.

Setup and Configure DOSBlock

The default location for DOSBlock is ( /usr/local/dosblock/ ). You can download the files from here and then upload them to your server, or login to your server and download the source from here, like this..

// go to the install location 
cd /usr/local

// download DOSBlock 
wget http://rainnerlins.com/resources/script/dosblock/dosblock.tar.gz 

// unpack the folder, go into it
tar -xvzf dosblock.tar.gz
cd ./dosblock

// script permission to execute  
chmod 0700 ./dosblock.sh 

// edit the file.. 
vim ./dosblock.sh 

Here are some configuration options for DOSBlock, you can get a better sense of how the script works once you download it and have a look at the source code comments.

// script home folder 
HOME_DIR="/usr/local/dosblock"

// script linkage, lets you run the script by typing it's name 
LINKAGE="/usr/local/sbin/dosblock" 

// APF-Firewall location 
APF="/etc/apf/apf" 

// IPTABLES location 
IPT="/sbin/iptables"

// report to this e-mail. empty = disable 
EMAIL="admin@mysite.com" 

// how many hits from one IP is allowed at once 
LIMIT=60 

// block the IP, or just report it   
BLOCK=1 

// seconds to keep an IP blocked. 0 = forever.    
RESET=600     

// cron file to be created if none exists 
CRON_FILE="/etc/cron.d/dosblock" 

// run this script every # minute/s 
CRON_FREQ=1 

Once you have everything setup, the first time your run the script it will create a linkage as specified above and a cron file so it keeps working in the background. Whenever an IP is blocked, a temporary script is created in your global /tmp folder set to execute, unblock the IP/s and delete itself. I have the very same script running on this server right now and it's been very helpful. Feel free to ask any questions if you have any problems setting it up.