This tutorial solved issues list as below:
– How to fix MySQL crashes or stops randomly
– How to anti the scanning or hacking to my website
– Simple and effective solution for anti medium DDOS wave
– How to fix my WordPress website was down randomly
– Anti DDOS Attack
– How to detect the IP which scanned and harmed your server
Shell script: block_ip.sh
#!/bin/bash
app_name="YOUR_APP_NAME"
access_log_file=/opt/lampp/logs/access_log
installed_dir=/home/ubuntu/v_ddos_swat
lines_check=100
#The sign to know Which IP is DDOS
ddos_sign_grep=404
# Maximum request that make fail your server from single IP
max_ddos_requested=12
#----- 01 ip, min DDOS 404 with 4 Recs -> 3x4 = 12
output_checked_file=$installed_dir/output/ip_checked.txt
ips_to_ufw_logs=$installed_dir/add_ufw_logs/ufw_ddos_ip_$(date +"%Y-%m-%d").txt
#-----Lookup Appache Log File, get count IP fail with Error: 404 -> Sort by DESC counting number -> Write to Result File ----
sudo tail -n $lines_check $access_log_file |grep -E $ddos_sign_grep|cut -f 1 -d ' '|sort|uniq -c|sort -nr > $output_checked_file
#-----Check Result File, find the IP attack: >= 12 times / 3s ( Set Crontab run each 01 min) ----
filename=$output_checked_file
n=1
IFS=' '
while read line; do
# reading each line
# echo "Line No. $n : $line"
read -a strarr <<< "$line"
#echo "Line No. $n : Count: ${strarr[0]} - IP: ${strarr[1]}"
#-----Found DDOS IP -> Add to UFW, email to Admin (Only Write Log & Email with new IP Blocked ----
if [ ${strarr[0]} -ge $max_ddos_requested ]
then
#echo "Found DDOS IP: Count: ${strarr[0]} - IP: ${strarr[1]}"
if sudo ufw insert 2 deny from ${strarr[1]} | grep -q 'Rule inserted'; then
echo "${strarr[1]}" >> $ips_to_ufw_logs
#Note: Uncomment next line to send email to Admin about this DDOS IP (If you installed & config send email at your server)
#echo "DDOS IP Blocked: ${strarr[1]} !" | mail -s "$app_name: DDOS Blocked "$(date +"%Y-%m-%d_%H_%M_%S") your_admin@gmail.com
fi
fi
n=$((n+1))
done < $filename
#echo "Checked : $n IPs"
Shell script: remove_ip.sh
#!/bin/bash
search_dir=/home/ubuntu/v_ddos_swat/add_ufw_logs
today_ips_to_ufw_logs=ufw_ddos_ip_$(date +"%Y-%m-%d").txt
if [ "$(ls -A $search_dir)" ]
then
#$echo "$search_dir is not empty"
for ip_ufw_log_file in "$search_dir"/*
do
#echo "$ip_ufw_log_file"
#-----Found Old files ----
if [ "$ip_ufw_log_file" != "$search_dir/$today_ips_to_ufw_logs" ]; then
echo "$ip_ufw_log_file"
#-----Read Blocked IPs ----
while read line; do
# reading each line
echo "Blocked IP : $line"
#-----Remove Blocked IPs from UFW Rules ----
sudo ufw delete deny from $line
done < $ip_ufw_log_file
#-----Delete this old file ----
rm -rf $ip_ufw_log_file
fi
done
fiShell script: run_anti_ddos.sh
#!/bin/bash
while true; do
# Do something
sudo /home/ubuntu/v_ddos_swat/./block_ip.sh
sleep 3; # run each 3 secs
doneCrontab
1)========= set OS does not ask to type password for running script with sudo ===========
sudo visudo
-- add --
ubuntu ALL=(ALL) NOPASSWD:/home/ubuntu/v_ddos_swat/block_ip.sh
ubuntu ALL=(ALL) NOPASSWD:/home/ubuntu/v_ddos_swat/remove_ip.sh
2)================== Add Job to Crontab: remove_ip.sh
crontab -e
---- Add ---------: Running each 2 days, at At 12:00
0 12 * * 0,2,4,6 sudo /home/ubuntu/v_ddos_swat/remove_ip.sh > /dev/null