├── showit ├── Simple-Anti-DDOS.sh ├── LICENSE ├── README.md ├── advanced-anti-ddos.sh └── prince-server-guard.ipt /showit: -------------------------------------------------------------------------------- 1 | tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20 2 | -------------------------------------------------------------------------------- /Simple-Anti-DDOS.sh: -------------------------------------------------------------------------------- 1 | # This is a Web Server Firewall. 2 | # This Webserver firewall allow access to port 80 and 443 3 | # Whitelist your IP and other Web Server Administrator to access your Web Server; 4 | # Don't forget to change SSH port on line# 24 5 | # Author: Prince Adeyemi 6 | # FB: fb.com/YourVegasPrince 7 | 8 | # iptables -F # 9 | iptables -A FORWARD -j DROP 10 | iptables -A OUTPUT -j ACCEPT 11 | 12 | iptables -A INPUT -i lo -j ACCEPT 13 | iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP 14 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 15 | iptables -A INPUT -p tcp --dport http -j ACCEPT 16 | iptables -A INPUT -p tcp --dport https -j ACCEPT 17 | 18 | iptables -N specialips 19 | iptables -A specialips -s xxx.xxx.xxx.xxx -j RETURN # a trusted IP Address 20 | iptables -A specialips -s yyy.yyy.yyy.yyy -j RETURN # another trusted IP Address 21 | iptables -A specialips -j DROP 22 | 23 | iptables -A INPUT -j specialips 24 | iptables -A INPUT -p tcp --dport 2200 -j ACCEPT # change this port to your prefer SSH port. 25 | iptables -A INPUT -j DROP 26 | 27 | iptables-save > /etc/iptables.rules 28 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Prince Adeyemi 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | [![Codacy Badge](https://api.codacy.com/project/badge/Grade/292a5c16020747c89409ab06af1f48d0)](https://app.codacy.com/manual/LasVegasCoder/Anti-DDOS-Script?utm_source=github.com&utm_medium=referral&utm_content=LasVegasCoder/Anti-DDOS-Script&utm_campaign=Badge_Grade_Dashboard) 3 | 4 | Firewall and Network Monitoring script handy for both beginners and advanced Network Engineer 5 | 6 | Simple Anti DDOS Bash Script 7 | This scrip provide basic protection for server unix/linux server or devices. 8 | 9 | Let me demonstrate a basic protection usage: 10 | 11 | Only port 80, 443 are allowed by default to your server, 12 | this allows web traffic to reach your server on both port 80(http) or 443(https) 13 | 14 | Management port 2200 is whitelisted and allowed connection to the server, for managing purpose. 15 | 16 | All other connection are blocked. 17 | 18 | This also make you invincible to many script kiddies, since your server will not respond to 19 | any ping from outsite the world. 20 | 21 | Step #1 Download Simple-Anti-DDOS to your system. 22 | 23 | wget https://raw.githubusercontent.com/LasVegasCoder/Anti-DDOS-Script/master/Simple-Anti-DDOS.sh 24 | 25 | Step #2 Make it executable 26 | chmod +x Simple-Anti-DDOS.sh 27 | 28 | chmod +x Simple-Anti-DDOS.sh 29 | 30 | Step #3 Run it 31 | ./Simple-Anti-DDOS.sh 32 | 33 | ./Simple-Anti-DDOS.sh 34 | You're protected! 35 | 36 | 37 | Try to ping your server from another computer. 38 | ping domain.com 39 | 40 | You will get 'Request timed out.' 41 | 42 | 43 | Advance Anti DDOS Protection Script 44 | This Advanced Anti DDOS Protection script provide more protections than basic. 45 | Some filtering were added to provide more protection for attacks that basic protection may 46 | not have missed. 47 | 48 | Replace the WAN and LAN infterface with your interface name if not the same. 49 | 50 | Step #1 Download Simple-Anti-DDOS to your system. 51 | 52 | wget https://github.com/LasVegasCoder/Anti-DDOS-Script/blob/master/advanced-anti-ddos.sh 53 | 54 | Step #2 Make it executable 55 | chmod +x advanced-anti-ddos.sh 56 | 57 | Step #3 Run it. 58 | ./advanced-anti-ddos.sh 59 | 60 | You're protected! 61 | 62 | 63 | Prince Server Guard script is a private script written not only protect server, but to also 64 | log each predefined attempt and labeled them such as SYN-FLOOD, SPAMMER, HACKER, SCRIPTER. 65 | This way it bans SPAMMER, HACKER on auto by add their IP to the BLOCKED-DATA. 66 | 67 | It also update the BLOCKED-DATA by downloading BLACKLIST ip address from spamhaus and 68 | adds it to the local BLOCKED-DATA. This way if any IP is black listed, it will be blocked on my system. 69 | 70 | Step #1 Download Prince Guard Script to your system. 71 | 72 | wget https://github.com/LasVegasCoder/Anti-DDOS-Script/blob/master/prince-server-guard.ipt 73 | 74 | Step #2 Make it executable 75 | chmod +x prince-server-guard.ipt 76 | 77 | Step #3 Run it. 78 | ./prince-server-guard.ipt 79 | 80 | You're protected! 81 | 82 | If you want to undo to the previous firewall rule before this was executed. 83 | There is a back up of your current firewall rule (if any) located where this 84 | was executed. 85 | 86 | current-firewall-backup-of-2017-10-10.log #dated file. 87 | 88 | Restore with : 89 | iptables-restore < current-firewall-backup-of-2017-10-10.log 90 | 91 | And you are back to previous security. 92 | 93 | 94 | NOTE: The script requires root privileges to run smoothly, thus do: 95 | 96 | user@hostname# sudo -i 97 | Password: 98 | root@hostname# 99 | 100 | 101 | ShowIT display data in ASCII as it moves accross your network. 102 | 103 | ShowIT display data in ASCII as it moves accross your network. 104 | Use this script ONLY on network that you own, or with permission from owner for troubleshooting purposes. 105 | 106 | This script will display both non vital and vital inforamtion as on your network in realtime. 107 | 108 | Information such as USERNAME, PASSWORD and other is displayed on your console 109 | as users types in from their devices 110 | 111 | Step #1 Download Prince Guard Script to your system. 112 | 113 | wget hhttps://raw.githubusercontent.com/LasVegasCoder/Anti-DDOS-Script/master/showit 114 | 115 | Step #2 Make it executable 116 | chmod +x showit 117 | 118 | Step #3 Run it. 119 | ./showit 120 | 121 | WATCH DATA DISPLAYING ON YOUR CONSOLE! 122 | -------------------------------------------------------------------------------- /advanced-anti-ddos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # this script requires iptables package to be 4 | # installed on your machine 5 | # Where to find iptables binary 6 | IPT="/sbin/iptables" 7 | # The network interface you will use 8 | # WAN is the one connected to the internet 9 | # LAN the one connected to your local network 10 | WAN="eth0" 11 | LAN="xenbr0" 12 | # First we need to clear up any existing firewall rules 13 | # and chain which might have been created 14 | $IPT -F 15 | $IPT -F INPUT 16 | $IPT -F OUTPUT 17 | $IPT -F FORWARD 18 | $IPT -F -t mangle 19 | $IPT -F -t nat 20 | $IPT -X 21 | # Default policies: Drop any incoming packets 22 | # accept the rest. 23 | $IPT -P INPUT DROP 24 | $IPT -P OUTPUT ACCEPT 25 | $IPT -P FORWARD ACCEPT 26 | # To be able to forward traffic from your LAN 27 | # to the Internet, we need to tell the kernel 28 | # to allow ip forwarding 29 | echo 1 > /proc/sys/net/ipv4/ip_forward 30 | # Masquerading will make machines from the LAN 31 | # look like if they were the router 32 | $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE 33 | # If you want to allow traffic to specific port to be 34 | # forwarded to a machine from your LAN 35 | # here we forward traffic to an HTTP server to machine 192.168.0.2 36 | #$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 80 -j DNAT --to 192.168.0.2:80 37 | #$IPT -A FORWARD -i $WAN -p tcp --dport 80 -m state --state NEW -j ACCEPT 38 | # For a whole range of port, use: 39 | #$IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 1200:1300 -j DNAT --to 192.168.0.2 40 | #$IPT -A FORWARD -i $WAN -p tcp --dport 1200:1300 -m state --state NEW -j ACCEPT 41 | # Do not allow new or invalid connections to reach your internal network 42 | $IPT -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP 43 | # Accept any connections from the local machine 44 | $IPT -A INPUT -i lo -j ACCEPT 45 | # plus from your local network 46 | $IPT -A INPUT -i $LAN -j ACCEPT 47 | # Here we define a new chain which is going to handle 48 | # packets we don't want to respond to 49 | # limit the amount of logs to 10/min 50 | $IPT -N Firewall 51 | $IPT -A Firewall -m limit --limit 10/minute -j LOG --log-prefix "Firewall: " 52 | $IPT -A Firewall -j DROP 53 | # log those packets and inform the sender that the packet was rejected 54 | $IPT -N Rejectwall 55 | $IPT -A Rejectwall -m limit --limit 10/minute -j LOG --log-prefix "Rejectwall: " 56 | $IPT -A Rejectwall -j REJECT 57 | # use the following instead if you want to simulate that the host is not reachable 58 | # for fun though 59 | #$IPT -A Rejectwall -j REJECT --reject-with icmp-host-unreachable 60 | # here we create a chain to deal with unlegitimate packets 61 | # and limit the number of alerts to 10/min 62 | # packets will be drop without informing the sender 63 | $IPT -N Badflags 64 | $IPT -A Badflags -m limit --limit 10/minute -j LOG --log-prefix "Badflags: " 65 | $IPT -A Badflags -j DROP 66 | # A list of well known combination of Bad TCP flags 67 | # we redirect those to the Badflags chain 68 | # which is going to handle them (log and drop) 69 | $IPT -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j Badflags 70 | $IPT -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j Badflags 71 | $IPT -A INPUT -p tcp --tcp-flags ACK,URG URG -j Badflags 72 | $IPT -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j Badflags 73 | $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j Badflags 74 | $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j Badflags 75 | $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j Badflags 76 | $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j Badflags 77 | $IPT -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j Badflags 78 | $IPT -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j Badflags 79 | $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j Badflags 80 | # Accept certain icmp message, drop the others 81 | # and log them through the Firewall chain 82 | # 0 => echo reply 83 | $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT 84 | # 3 => Destination Unreachable 85 | $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT 86 | # 11 => Time Exceeded 87 | $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT 88 | # 8 => Echo 89 | # avoid ping flood 90 | $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT 91 | $IPT -A INPUT -p icmp -j Firewall 92 | # Accept ssh connections from the Internet 93 | $IPT -A INPUT -i $WAN -p tcp --dport 94 -j ACCEPT 94 | # or only accept from a certain ip 95 | #$IPT -A INPUT -i $WAN -s 125.124.123.122 -p tcp --dport 22 -j ACCEPT 96 | # Accept related and established connections 97 | $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 98 | # Drop netbios from the outside, no log, just dropAS 99 | $IPT -A INPUT -p udp --sport 137 --dport 137 -j DROP 100 | # Finally, anything which was not allowed yet 101 | # is going to go through our Rejectwall rule 102 | $IPT -A INPUT -j Rejectwall 103 | -------------------------------------------------------------------------------- /prince-server-guard.ipt: -------------------------------------------------------------------------------- 1 | iptables-save > current-firewall-backup-of-`date +%F`.log 2 | iptables -F 3 | iptables -F INPUT 4 | iptables -F OUTPUT 5 | iptables -F FORWARD 6 | iptables -F -t mangle 7 | iptables -F -t nat 8 | iptables -X 9 | iptables -Z 10 | 11 | iptables -P FORWARD DROP 12 | iptables -P INPUT DROP 13 | iptables -P OUTPUT ACCEPT 14 | 15 | 16 | iptables -A INPUT -i lo -j ACCEPT 17 | iptables -A INPUT ! -i lo -d 127.0.0.1/8 -j DROP 18 | iptables -A INPUT -m state --state INVALID -j DROP 19 | 20 | #wget -qO - http://infiltrated.net/blacklisted|awk '!/#|[a-z]/&&/./{print "iptables -A INPUT -s "$1" -j DROP"}' 21 | 22 | #TRIGGERS 23 | #iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-always-blink 24 | #iptables -A INPUT -p tcp --dport 25 -j LED --led-trigger-id smtp --led-always-blink 25 | #iptables -A INPUT -p tcp --dport 139 -j LED --led-trigger-id rpc 26 | 27 | #echo netfilter-ssh >/sys/class/leds/ssh/trigger 28 | #echo netfilter-ssh >/sys/class/leds/rpc/trigger 29 | #echo netfilter-ssh >/sys/class/leds/smtp/trigger 30 | 31 | #CREATE TABLE_FUNCTION 32 | iptables -N RouterDATA 33 | iptables -N FireWALLED 34 | iptables -N ACL-WEB 35 | iptables -N ACL-WEB-SECURE 36 | iptables -N BLOCKED-DATA 37 | iptables -N MAIL-ROUTE 38 | iptables -N AUDIT_DROP 39 | 40 | #ALLOW CNNECTION THRU ROUTER 41 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j RouterDATA 42 | 43 | #Allow connection from your router 44 | #iptables -N RouterDATA 45 | iptables -A RouterDATA -p tcp --dport http -j ACL-WEB 46 | iptables -A RouterDATA -p udp --sport 67:68 --dport 67:68 -j FireWALLED 47 | iptables -A RouterDATA -p udp --sport 53 --dport 53 -m limit --limit 10/minute -j LOG --log-prefix "Port 53 Possible Exploit Detected :" 48 | iptables -A RouterDATA -m limit --limit 10/minute -j LOG --log-prefix "Router Throutled:" 49 | iptables -A RouterDATA -p tcp -m multiport --dports smtp,smtps,imap,imaps,pop3 -j MAIL-ROUTE 50 | iptables -A RouterDATA -m state --state ESTABLISHED,RELATED -j FireWALLED 51 | iptables -A RouterDATA -j DROP 52 | iptables -A INPUT -j RouterDATA 53 | 54 | iptables -N ACL-16 55 | #iptables -A ACL-16 -s xxx.xxx.xxx.xxx -j RETURN 56 | #iptables -A ACL-16 -s xxx.xxx.xxxxxx -j RETURN 57 | iptables -A ACL-16 -j RouterDATA 58 | iptables -A ACL-16 -j DROP 59 | #iptables -A INPUT -j ACL-16 60 | 61 | #GET SYN FLOOD PROTECTION 62 | iptables -N SYN-FLOOD 63 | iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j LOG --log-prefix "PUNK! YOUR SYN-FLOOD IS LOGGED :" 64 | iptables -A SYN-FLOOD -j REJECT 65 | iptables -A INPUT -p tcp --syn -j SYN-FLOOD 66 | 67 | #DEFINE WHAT GOES THROUGH FIREWALL 68 | iptables -N FireWALLED 69 | iptables -A FireWALLED -m state --state NEW -j REJECT 70 | iptables -A FireWALLED -m state --state INVALID -j REJECT 71 | iptables -A FireWALLED -m limit --limit 15/minute -j LOG --log-prefix "You are FireWALLED: " 72 | iptables -A FireWALLED -p tcp --dport http -j ACL-WEB 73 | #iptables -A FireWALLED -p tcp -m multiport --dports smtp,smtps,imap,imaps,pop3 -j MAIL-ROUTE 74 | 75 | iptables -A FireWALLED -p tcp --dport https -j ACL-WEB-SECURE 76 | iptables -A FireWALLED -m recent --name INTRUDER --rcheck --seconds 60 -j REJECT 77 | iptables -A FireWALLED -p tcp --dport 139 -m recent --name INTRUDER --set -j REJECT 78 | iptables -A FireWALLED -p tcp --dport 137 -m recent --name INTRUDER --set -j REJECT 79 | iptables -A FireWALLED -m recent --name INTRUDER --rcheck --seconds 60 -j REJECT 80 | iptables -A FireWALLED -p tcp --dport 22 -m recent --name INTRUDER --set -j REJECT 81 | 82 | #WE NEED EMAIL TO WORK AND PROTECTED, HERE YOU GO 83 | #If you receive more than 5 emails in 1 minutes, it's spamming, log it and filter out for auto blocking . 84 | iptables -A MAIL-ROUTE -p tcp -m limit --limit 3/minute -j LOG --log-prefix "Damn Spammer! :" 85 | iptables -A MAIL-ROUTE -p tcp -m multiport --dports smtp,smtps,imap,imaps,pop3 -j ACCEPT 86 | iptables -A MAIL-ROUTE -j DROP 87 | 88 | #SETUP AN AUDITOR 89 | iptables -N AUDIT_DROP 90 | iptables -A AUDIT_DROP -j AUDIT --type drop 91 | iptables -A AUDIT_DROP -j DROP 92 | iptables -A INPUT -j AUDIT_DROP 93 | 94 | 95 | #TRIGGERS 96 | iptables -A FireWALLED -p tcp --dport 22 -j LED --led-trigger-id ssh --led-always-blink 97 | iptables -A FireWALLED -p tcp --dport 25 -j LED --led-trigger-id smtp --led-always-blink 98 | iptables -A FireWALLED -p tcp --dport 139 -j LED --led-trigger-id rpc 99 | 100 | iptables -A FireWALLED -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG 101 | 102 | #RESTRIC CONNECTION PER CLIENT 103 | 104 | iptables -A FireWALLED -p tcp --syn -m connlimit --connlimit-above 11 --connlimit-mask 24 -j REJECT 105 | iptables -A FireWALLED -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT 106 | iptables -A FireWALLED -p tcp --syn --dport 25 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j REJECT 107 | iptables -A FireWALLED -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 --connlimit-mask 24 -j REJECT 108 | iptables -A FireWALLED -p tcp --syn --dport 9400 -m connlimit --connlimit-above 3 --connlimit-mask 24 -j REJECT 109 | 110 | #ACCEPT CONNECTION THAT PASSED ROUTERS RULES; 111 | 112 | iptables -A FireWALLED -m state --state ESTABLISHED,RELATED -j ACCEPT 113 | iptables -A FireWALLED -j DROP 114 | 115 | #iptables -N ACL-WEB 116 | iptables -A ACL-WEB -p tcp --dport http -j ACCEPT 117 | iptables -A ACL-WEB -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT 118 | iptables -A ACL-WEB -j DROP 119 | 120 | iptables -A INPUT -p tcp --dport http -j ACL-WEB 121 | 122 | #iptables -N ACL-WEB-SECURE 123 | iptables -A ACL-WEB-SECURE -p tcp --dport https -j ACCEPT 124 | iptables -A ACL-WEB-SECURE -j DROP 125 | 126 | iptables -A INPUT -p tcp --dport https -j ACL-WEB-SECURE 127 | 128 | #iptables -N BLOCKED-DATA 129 | iptables -A BLOCKED-DATA -m limit --limit 10/minute -j LOG --log-prefix "BLOCKED-DATA : " 130 | 131 | #BLOCK HACKING FLAGS 132 | iptables -A BLOCKED-DATA -p tcp --tcp-flags ACK,FIN FIN -j DROP 133 | iptables -A BLOCKED-DATA -p tcp --tcp-flags ACK,PSH PSH -j DROP 134 | iptables -A BLOCKED-DATA -p tcp --tcp-flags ACK,URG URG -j DROP 135 | iptables -A BLOCKED-DATA -p tcp --tcp-flags FIN,RST SYN,RST -j DROP 136 | iptables -A BLOCKED-DATA -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 137 | iptables -A BLOCKED-DATA -p tcp --tcp-flags ALL ALL -j DROP 138 | iptables -A BLOCKED-DATA -p tcp --tcp-flags ALL NONE -j DROP 139 | iptables -A BLOCKED-DATA -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 140 | iptables -A BLOCKED-DATA -j DROP 141 | 142 | iptables -A INPUT -p tcp -j BLOCKED-DATA 143 | 144 | #ALLOW CONNECTION 145 | 146 | iptables -A INPUT -p udp --sport 67:68 --dport 67:68 -j RouterDATA 147 | 148 | #DROP ALL CONNECTION THAT DOESNT MATCH OUR RULES 149 | iptables -A INPUT -j DROP 150 | wget -qO - http://infiltrated.net/blacklisted|awk '!/#|[a-z]/&&/./{print "iptables -A INPUT -s "$1" -j DROP"}' 151 | 152 | --------------------------------------------------------------------------------