* cat /usr/local/bin/shield-lockdown.fw * # Heres a bash script I made to stop SYN and other attacks on AVLS OXL-OLX server * # * #!/bin/bash * # * #PRINT= `ifconfig ens13 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1` * #echo Primary Interface: $PRINT * # * #/sbin/modprobe ip_tables * #/sbin/modprobe ip_conntrack * * /bin/rm -f /root/.dyn* * * echo "Setting kernel tcp parameters to reduct DoS effects" * * #Reduce DoS'ing ability by reducing timeouts * * echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Default value 60 * echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time # Default value 7200 * echo 1 > /proc/sys/net/ipv4/tcp_window_scaling # default is ON * echo 0 > /proc/sys/net/ipv4/tcp_sack # Default is ON * echo 1024 > /proc/sys/net/ipv4/tcp_max_syn_backlog # Default is 2048 * * # ANTISPOOFING * * for a in /proc/sys/net/ipv4/conf/*/rp_filter; * * do * echo 1 > $a * done * * ## * # NO SOURCE ROUTE * * for z in /proc/sys/net/ipv4/conf/*/accept_source_route; * * do * echo 0 > $z * done * * echo "SYN COOKIES Settings" * * #SYN COOKIES * * echo 1 > /proc/sys/net/ipv4/tcp_syncookies * echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts * echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses * echo 1 > /proc/sys/net/ipv4/conf/all/accept_redirects * echo 1 > /proc/sys/net/ipv4/conf/all/log_martians * echo 3 > /proc/sys/net/ipv4/tcp_syn_retries ###default 5 * echo 3 > /proc/sys/net/ipv4/tcp_synack_retries ###default 5 * echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle ### default disable * echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse ### default disable * * # NUMBER OF CONNECTIONS TO TRACK * * echo "1048560" > /proc/sys/net/nf_conntrack_max * * # Set default policies * # * IPTABLES="/sbin/iptables" * # * $IPTABLES -P INPUT ACCEPT * $IPTABLES -P OUTPUT ACCEPT * $IPTABLES -P FORWARD DROP * # * $IPTABLES -F * $IPTABLES -F -t mangle * $IPTABLES -F -t raw * # * $IPTABLES -X * # * $IPTABLES -N syn-flood * # * # SYN-FLOOD RULES * $IPTABLES -A syn-flood -m limit --limit 1000/second --limit-burst 1250 -j RETURN * $IPTABLES -A syn-flood -j LOG --log-prefix "SYN flood: " * $IPTABLES -A syn-flood -j DROP * # * $IPTABLES -A INPUT -i lo -j ACCEPT * $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT * $IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset * $IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP * $IPTABLES -A INPUT -m state --state INVALID -j DROP * ####################### * # Drop all Incoming malformed NULL packets: * # * $IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP * $IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP * # * echo "Port Scan protection is enabling......." * # * # NMAP (Port SCAN Protection) * # * $IPTABLES -A FORWARD -p tcp -i ens13 -m state --state NEW -m recent --set * $IPTABLES -A FORWARD -p tcp -i ens13 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP * ####################### * # For mangle * $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j ACCEPT * $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 443 -j ACCEPT * $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 135:139 -j DROP * $IPTABLES -t mangle -A PREROUTING -p udp -m udp --dport 135:139 -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 445 -j DROP * $IPTABLES -t mangle -A PREROUTING -p udp -m udp --dport 445 -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp -m multiport --ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP * $IPTABLES -t mangle -A PREROUTING -p udp -m multiport --ports 445,1433,1434,2002,4156,1978,27444,10100,1812,10064,389,6346 -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP * $IPTABLES -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP * $IPTABLES -t mangle -A PREROUTING -s 202.96.99.0/24 -j DROP * ############# * echo "ICMP Protection is Enabling" * # * # ICMP protection * # * $IPTABLES -A INPUT -p icmp -m limit --limit 10/s --limit-burst 15 -j ACCEPT * #$IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: * $IPTABLES -A INPUT -p icmp -j DROP * $IPTABLES -A OUTPUT -p icmp -j ACCEPT * # * ## * # For DNS Flooding.. * # * $IPTABLES -A INPUT -p udp --dport 53 -m limit --limit 200/second --limit-burst 400 -j ACCEPT * $IPTABLES -A INPUT -p udp --dport 53 -j DROP * #################### * ## FIX_IP_START_SSHD * $IPTABLES -A INPUT -s 210.4.64.0/24 -p tcp -m tcp --dport 10222 -j ACCEPT * $IPTABLES -A INPUT -s 210.4.77.0/24 -p tcp -m tcp --dport 10222 -j ACCEPT * $IPTABLES -A INPUT -s 210.4.66.154/32 -p tcp -m tcp --dport 10222 -j ACCEPT * $IPTABLES -A INPUT -s 114.31.8.210/32 -p tcp -m tcp --dport 10222 -j ACCEPT * $IPTABLES -A INPUT -s 119.40.93.10/32 -p tcp -m tcp --dport 10222 -j ACCEPT * $IPTABLES -A INPUT -s 119.40.80.98/32 -p tcp -m tcp --dport 10222 -j ACCEPT * $IPTABLES -A INPUT -s 5.189.161.189/32 -p tcp -m tcp --dport 10222 -j ACCEPT * #$IPTABLES -A INPUT -s 185.246.241.193/32 -p tcp -m tcp --dport 10222 -j ACCEPT * #$IPTABLES -A INPUT -p tcp -m tcp --dport 10222 -j DROP * #### FIX_IP_END_SSHD * ## * # For SSH Connections (Brute protection) * # * $IPTABLES -A INPUT -i ens13 -p tcp -m tcp --dport 10222 -m state --state NEW -m recent --set --name ssh --rsource * $IPTABLES -A INPUT -i ens13 -p tcp -m tcp --dport 10222 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name ssh --rsource -j DROP * ###### * # * $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT * $IPTABLES -A INPUT -p tcp -m tcp --dport 10222 --syn -m state --state NEW -j ACCEPT * # * ### PORT Allow and Deny * $IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT * $IPTABLES -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT * ##### End the Default PORT ############## * # * # For MySql * $IPTABLES -A INPUT -s 127.0.0.1 -p tcp -m tcp --dport 3306 -j ACCEPT * #$IPTABLES -A INPUT -s 182.16.159.130/32 -p tcp -m tcp --dport 3306 -j ACCEPT * $IPTABLES -A INPUT -p tcp -m tcp --dport 3306 -j DROP * ## * ## DROP Rest of Everything * # * $IPTABLES -A INPUT -p udp -m state --state NEW -m udp -j DROP * $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -j DROP * # * # * echo "Firewall rule is implemented..." *