<?php
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
for ($i=0;$i<1000;$i++){
$ch = curl_init();
//要***的网址首页
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_exec($ch);
curl_close($ch);
//延迟1炒
sleep(1);
}
?>
***方法:将此代码放到apache发布目录下,并执行命令:php -q track.php
***原理:此***是针对网站的页面,它不停的对页面进行访问,超过一定的数目及频率后,致使服务器达到繁忙的状态,此***主要是针对80端口,对于web服务器,iptables是开放80端口的,所以常规的iptables策略对此***不起作用.
我们该如何从服务器入手,防范这种***呢?
我们的思路是:
控制单个 IP 的最大并发连接数,或者控制单个 IP 在一定的时间(比如60秒)内允许新建立的连接数
iptables命令为:
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
输入以上命令提示信息:iptables: Unknown error 4294967295
原来是iptables v1.3.5 不支持connlimit模块
原来是iptables v1.3.5 不支持connlimit模块
现在我们开始让内核及iptables支持connlimit模块
1、下载补丁及iptables
#wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
#wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
#tar jxvf iptables-1.4.0.tar.bz2 -C ../software
#tar jxvf patch-o-matic-ng-20080214.tar.bz2 ../software
#cd /usr/local/src/software/ patch-o-matic-ng-20080214/
#wget ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20080214.tar.bz2
#wget ftp://ftp.netfilter.org/pub/iptables/iptables-1.4.0.tar.bz2
#tar jxvf iptables-1.4.0.tar.bz2 -C ../software
#tar jxvf patch-o-matic-ng-20080214.tar.bz2 ../software
#cd /usr/local/src/software/ patch-o-matic-ng-20080214/
2、下载connlimit模块
KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686/ IPTABLES_DIR=/usr/local/src/software/iptables-1.4.0/ ./runme -download
KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686/ IPTABLES_DIR=/usr/local/src/software/iptables-1.4.0/ ./runme -download
Successfully downloaded external patch connlimit
3、应用connlimit补丁到内核
KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686 IPTABLES_DIR=/usr/local/src/software/iptables-1.4.0 ./runme connlimit
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
KERNEL_DIR=/usr/src/kernels/2.6.18-128.el5-i686 IPTABLES_DIR=/usr/local/src/software/iptables-1.4.0 ./runme connlimit
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
4、开始编译模块
#cd /usr/src/kernels/2.6.18-128.el5-i686/
#make oldconfig //新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“ m ”,编译为模块
#make modules_prepare
#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig
#vim net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) module
#cd /usr/src/kernels/2.6.18-128.el5-i686/
#make oldconfig //新加入了connlimit的选项,问是否需要编译进入内核的时候,输入“ m ”,编译为模块
#make modules_prepare
#mv net/ipv4/netfilter/Makefile net/ipv4/netfilter/Makefile.orig
#vim net/ipv4/netfilter/Makefile
obj-m := ipt_connlimit.o
KDIR := /lib/modules/$(shell uname -r)/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) M=$(PWD) module
5、编译该模块
#make M=net/ipv4/netfilter/
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
#depmod
#depmod -a
#modprobe ipt_connlimit
#lsmod |grep ip
ipt_recent 12497 1
ipt_REJECT 9537 2
iptable_filter 7105 1
ip_tables 17029 1 iptable_filter
ipt_connlimit 7680 1
x_tables 17349 5 ipt_recent,ipt_REJECT,xt_tcpudp,ip_tables,ipt_connlimit
ip_conntrack 52897 1 ipt_connlimit
nfnetlink 10713 1 ip_conntrack
ipv6 261473 16
xfrm_nalgo 13381 1 ipv6
dm_multipath 24013 0
scsi_dh 11713 1 dm_multipath
dm_mod 62201 9 dm_multipath,dm_raid45,dm_snapshot,dm_zero,dm_mirror,dm_log
#make M=net/ipv4/netfilter/
#cp net/ipv4/netfilter/ipt_connlimit.ko /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/
#chmod 744 /lib/modules/2.6.18-128.el5/kernel/net/ipv4/netfilter/ipt_connlimit.ko
#depmod
#depmod -a
#modprobe ipt_connlimit
#lsmod |grep ip
ipt_recent 12497 1
ipt_REJECT 9537 2
iptable_filter 7105 1
ip_tables 17029 1 iptable_filter
ipt_connlimit 7680 1
x_tables 17349 5 ipt_recent,ipt_REJECT,xt_tcpudp,ip_tables,ipt_connlimit
ip_conntrack 52897 1 ipt_connlimit
nfnetlink 10713 1 ip_conntrack
ipv6 261473 16
xfrm_nalgo 13381 1 ipv6
dm_multipath 24013 0
scsi_dh 11713 1 dm_multipath
dm_mod 62201 9 dm_multipath,dm_raid45,dm_snapshot,dm_zero,dm_mirror,dm_log
6、添加iptables规则
#iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
#iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
#iptables -L
#iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j REJECT
#iptables -A INPUT -p tcp --dport 80 -m recent --name BAD_HTTP_ACCESS --update --seconds 60 --hitcount 30 -j REJECT
#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:http #conn/32 > 50 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:http recent: UPDATE seconds: 60 hit_count: 30 name: BAD_HTTP_ACCESS side: source reject-with icmp-port-unreachable
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:http #conn/32 > 50 reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:http recent: UPDATE seconds: 60 hit_count: 30 name: BAD_HTTP_ACCESS side: source reject-with icmp-port-unreachable
apache使用mod_limitipconn.c限制并发数
#wget
http://dominia.org/djao/limit/mod_limitipconn-0.23.tar.bz2
//此版本对应apache 2.x
#tar jxvf mod_limitipconn-0.23.tar.bz2 -C ../software
#cd ../software/mod_limitipconn-0.23
#/usr/local/apache2/bin/apxs -c -i -a mod_limitipconn.c
#vim /usr/local/apache2/conf/http.conf
ExtendedStatus on
<IfModule mod_limitipconn.c>
MaxConnPerIP 2
<Location /somewhere>
MaxConnPerIP 3
NoIPLimit p_w_picpath/*
</Location>
<Directory /home/*/public_html>
MaxConnPerIP 1
OnlyIPLimit audio/mpeg video
</Directory>
</IfModule>
#tar jxvf mod_limitipconn-0.23.tar.bz2 -C ../software
#cd ../software/mod_limitipconn-0.23
#/usr/local/apache2/bin/apxs -c -i -a mod_limitipconn.c
#vim /usr/local/apache2/conf/http.conf
ExtendedStatus on
<IfModule mod_limitipconn.c>
MaxConnPerIP 2
<Location /somewhere>
MaxConnPerIP 3
NoIPLimit p_w_picpath/*
</Location>
<Directory /home/*/public_html>
MaxConnPerIP 1
OnlyIPLimit audio/mpeg video
</Directory>
</IfModule>
用ab测试并发数
#/usr/local/apache2/bin/ab -c 500 -n 500 http://192.168.50.202/index.php
-c 一次产生的请求个数。默认是一次一个
-n 在测试会话中所执行的请求个数。默认时,仅执行一个请求
-t 测试所进行的最大秒数。其内部隐含值是-n 50000。它可以使对服务器的测试限制在一个固定的总时间以内。默认时,没有时间限制
#tail -f access.log
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 200 3
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 200 3
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 503 323
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 503 323
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 503 323
服务器对同一IP的最大并发数为2,说明mod_limitipconn设置成功
#/usr/local/apache2/bin/ab -c 500 -n 500 http://192.168.50.202/index.php
-c 一次产生的请求个数。默认是一次一个
-n 在测试会话中所执行的请求个数。默认时,仅执行一个请求
-t 测试所进行的最大秒数。其内部隐含值是-n 50000。它可以使对服务器的测试限制在一个固定的总时间以内。默认时,没有时间限制
#tail -f access.log
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 200 3
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 200 3
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 503 323
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 503 323
192.168.50.202 - - [01/Jun/2010:13:55:35 +0800] "GET /index.php HTTP/1.0" 503 323
服务器对同一IP的最大并发数为2,说明mod_limitipconn设置成功
转载于:https://blog.51cto.com/milan22/324787