add common scripts and ddos

27a7c7b7 · Vitaly Lipatov · e6aeb612 · 27a7c7b7 · 27a7c7b7 · 27a7c7b7
Commit 27a7c7b7 authored Sep 11, 2012 by Vitaly Lipatov
6 changed files
--- a/common/restore_file.sh
+++ b/common/restore_file.sh
+#!/bin/sh
+
+# args:
+# 1. file to restore (full path)
+# 2. time
+
+BB=/var/local/backup-hosting/host03-vps/var/lib/vz/private/44
+mkdir -p RFDIR/ || exit
+rdiff-backup -r "$2" backup@backup::/$BB/"$1" RFDIR/$(basename "$1")
--- a/common/restore_ip.sh
+++ b/common/restore_ip.sh
+#!/bin/sh
+
+iptables -D INPUT -s $1 -j DROP
+
--- a/ddos/check_ddos_ip.sh
+++ b/ddos/check_ddos_ip.sh
+#!/bin/bash
+cd /root/bin
+
+IFDEV=breth0
+
+# Сколко запоов анализием за аз
+NUMP=10000
+# Сколко поенов може занима один аде
+MAXPERC=15
+# акимм вемени на tcpdmp
+TIMEP=15
+
+get_already_dropped()
+{
+        /sbin/iptables -L -n | grep DROP | awk '{print $4;}' > ipt.dropped.list
+}
+
+do_drop()
+{
+        grep -q "$1" ipt.dropped.list white.list && return 1
+        echo "$1 # $2 percent, $(date)" >> dropped.list
+        /sbin/iptables -A INPUT -s $1 -j DROP
+}
+
+get_already_dropped
+
+SECST=$(date "+%s")
+timeout -s SIGQUIT $TIMEP /usr/sbin/tcpdump -n -c $NUMP -f -i $IFDEV dst 212.176.192.225 or dst 212.176.200.17 | \
+        awk '{print $3;}' | \
+        sed 's/\([[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\)\..*/\1/g' > full.list
+SECST=$(($(date "+%s")-$SECST))
+
+NUMP=$(cat full.list | wc -l)
+
+cat full.list | sort | uniq -c | sort -r -n > attack.list
+
+TOTALATTACKED=0
+while read c ip ; do
+        #echo $c = $ip
+        perc=$((100*$c/$NUMP))
+        if [ $perc -gt $MAXPERC ] ; then
+                do_drop $ip $perc && echo "Drop IP $ip with $perc percent traffic" || echo "IP $ip already dropped"
+                TOTALATTACKED=$(($TOTALATTACKED+$perc))
+        fi
+done < attack.list
+
+echo "Checked packages: $NUMP ($SECST secs). Traffic: $(($NUMP/$SECST)) rps. Atacker percent: $TOTALATTACKED" | tee result.out
--- a/ddos/check_netstat.sh
+++ b/ddos/check_netstat.sh
+#!/bin/sh
+
+cd $(dirname $0)
+
+# uncomment one of
+MAXPERC=10
+#MAXNUM=4
+
+# инималное колиево дл наала повеки
+MINTOTAL=700
+
+OURIP1="87.249.47.44"
+
+get_already_dropped()
+{
+        /sbin/iptables -L -n | grep DROP | awk '{print $4;}' > ipt.dropped.list
+}
+
+do_drop()
+{
+        grep -q "$1" ipt.dropped.list white.list && return 1
+        echo "$1 # $3 from $4 ($2 percent), $(date) by $0" >> dropped.list
+        /sbin/iptables -A INPUT -s $1 -j DROP
+}
+
+get_already_dropped
+
+netstat -apn | grep -v TIME_WAIT | awk '{print $5;}' | grep ":" | sed 's/\([[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\.[[:digit:]]*\):.*/\1/g' | \
+    grep -v ":::" | grep -v "127.0.0.1" | grep -v "0.0.0.0" | grep -v "$OURIP1" | sort > full.list
+
+NUMP=$(cat full.list | wc -l)
+
+cat full.list | uniq -c | sort -r -n | head -n 40 > attack.list
+
+[ $NUMP -gt $MINTOTAL ] || exit
+
+TOTALATTACKED=0
+while read c ip ; do
+        echo "$c = $ip ($NUMP)"
+        grep -q $ip white.list && { echo Skip; continue; }
+        perc=$((100*$c/$NUMP))
+        #if [ $perc -gt $MAXPERC ] ; then
+        #if [ $c -gt $MAXNUM ] ; then
+        [ -n "$MAXPERC" ] && IFCASE="$perc -ge $MAXPERC" || IFCASE="$c -ge $MAXNUM"
+        if [ $IFCASE ] ; then
+                do_drop $ip $perc $c $NUMP && echo "Drop IP $ip with $perc percent traffic" || echo "IP $ip already dropped"
+                TOTALATTACKED=$(($TOTALATTACKED+$perc))
+        fi
+done < attack.list
--- a/ddos/check_nginx.sh
+++ b/ddos/check_nginx.sh
+#!/bin/sh
+
+cd $(dirname $0)
+
+# uncomment one of
+#MAXPERC=20
+MAXNUM=150
+
+MAXLIST=30
+
+OURIP1="87.249.47.44"
+
+get_already_dropped()
+{
+        /sbin/iptables -L -n | grep DROP | awk '{print $4;}' > ipt.dropped.list
+}
+
+do_drop()
+{
+        IP="$1"
+        #IP="${IP%.*}.0/24"
+        grep -q "$IP" ipt.dropped.list white.list && return 1
+        echo "$IP # $3 ($2 percent), $(date) by $0" >> dropped.list
+        /sbin/iptables -A INPUT -s $IP -j DROP
+}
+
+get_already_dropped
+
+echo "Tail access.log..."
+# FIXME: compare with azbyka.ru root/bin script
+tail -n 1000 /var/log/nginx/access.log | awk '{print $1;}' | \
+    grep -v "127.0.0.1" | grep -v "0.0.0.0" | grep -v "$OURIP1" | sort > full.list
+
+NUMP=$(cat full.list | wc -l)
+
+NUMPUNIQ=$(cat full.list | sort -u | wc -l)
+echo "Sort results..."
+cat full.list | uniq -c | sort -r -n | head -n $MAXLIST > attack.list
+
+TOTALATTACKED=0
+TOTALALREADY=0
+while read c ip ; do
+        [ -n "$ip" ] || continue
+        grep -q $ip white.list && { echo Skip; continue; }
+        perc=$((100*$c/$NUMP))
+        echo "$c = $ip ($NUMP, $perc)"
+        [ -n "$MAXPERC" ] && IFCASE="$perc -ge $MAXPERC" || IFCASE="$c -ge $MAXNUM"
+        if [ $IFCASE ] ; then
+                if do_drop $ip $perc $c ; then
+                    echo "Drop IP $ip with $perc percent traffic"
+                    TOTALATTACKED=$(($TOTALATTACKED+$c))
+                else
+                    echo "IP $ip already dropped"
+                    TOTALALREADY=$(($TOTALALREADY+$c))
+                fi
+        fi
+done < attack.list
+
+echo "Checked packages: $NUMP ($NUMPUNIQ unique). Attacker: $TOTALATTACKED ( $((TOTALATTACKED*100/$NUMP)) %) Already percent: $TOTALALREADY ( $((TOTALALREADY*100/$NUMP)) %)" | tee result.out
--- a/ddos/check_overload.sh
+++ b/ddos/check_overload.sh
+#!/bin/sh
+
+# kill this script for apply changes
+# 
+#links http://localhost/apache-stat -dump | grep "GET /"
+#links http://localhost/apache-stat -dump | grep "GET /" | sed -e "s|.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*GET.*|\1|g"
+
+# Parallel connection trashhold
+CRITICALNUM=4
+
+# Load average trashhold
+# five minute
+CRITICALAVG=3
+# one minute
+DCRITICALAVG=4
+
+
+check_load1()
+{
+	loadavg=`cat /proc/loadavg | cut -d" " -f 1 | cut -d"." -f 1`
+	[ $loadavg -ge $DCRITICALAVG ]
+}
+
+check_load5()
+{
+	loadavg=`cat /proc/loadavg | cut -d" " -f 2 | cut -d"." -f 1`
+	[ $loadavg -ge $CRITICALAVG ]
+}
+
+# FIXME:
+# can be freezed during overload
+get_loads()
+{
+	#/usr/bin/links http://localhost/apache-stat -dump > /tmp/zzzzzzzzz 2>&1 || exit 3
+	elinks http://localhost/apache-stat -dump | grep "GET /" | sed -e "s|.* \([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*GET.*|\1|g"
+}
+
+VERBOSE="$1"
+
+
+check_drop_ip()
+{
+FCO=/tmp/check_overload.stat
+get_loads | grep -v "127\.0\.0\.1" | grep -v "87\.249\.47\." | grep -v "212\.176\.200\.18" | grep -v "10\.20\.30\." | sort | uniq -c | sort -r > $FCO
+
+GL="$(cat "$FCO" | head -n1)"
+#echo "$GL"
+
+NUM="$(echo "$GL" | sed -e 's|.*\([0-9]\) .*|\1|g')"
+#echo $NUM
+
+IP="$(echo "$GL" | sed -e "s|.*[0-9] ||g")"
+#echo $IP
+
+[ -n "$NUM" ] || return
+
+if [ "$NUM" -ge "$CRITICALNUM" ] ; then
+	echo "Drop IP $IP $(resolve $IP): $NUM counted"
+	/root/bin/drop_ip.sh "$IP"
+	return 0
+else
+	echo "Skip, can't locate IP between"
+	cat "$FCO"
+	echo "(possible candidat: $GL)"
+	return 1
+fi
+}
+
+do_step()
+{
+check_load1 || check_load5 || return
+
+for i in 1 2 3 ; do
+	check_drop_ip && break
+	sleep 10
+done
+}
+
+if [ "$1" = "--force" ] ; then
+	check_drop_ip
+	exit
+fi
+
+
+# run script only if not run yet
+(
+flock -n 9 || exit
+echo $$ >/tmp/check_overload.pid
+while true ; do
+	do_step | tee -a /root/bin/check_overload.log
+	sleep 30
+done
+) 9>/tmp/check_overload.lock 2>/root/bin/check_overload.error.log
+rm -f /tmp/check_overload.pid