Linux VPS安装vDDoS Proxy或DDOS deflate防御DDOS CC攻击

作者: Darren 分类: 收藏发布时间: 2019-01-27 17:22

DDOS deflate篇

说明：很多人搭建博客或者网站都会被DDOS攻击，基本都会出现网站打不开，服务器瘫痪，对于我们这些小博客来说，都不会花更多资金买抗DDOS服务器来防御DDOS，只能采取些其他办法，DDOS deflate是一款免费的用来防御和减轻DDOS攻击的脚本。它通过netstat监测跟踪创建大量网络连接的IP地址，在检测到某个结点超过预设的限制时，该程序会通过APF或IPTABLES禁止或阻挡这些IP。

1、安装DDOS deflate

wget http://www.moerats.com/usr/down/DDOS/deflate.sh
chmod +x deflate.sh
./deflate.sh

2、配置DDOS deflate
配置/usr/local/ddos/ddos.conf文件。

##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
#####          option so that the new frequency takes effect
FREQ=1
##### How many connections define a bad IP Indicate that below.
NO_OF_CONNECTIONS=150
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600

标示说明：
NO_OF_CONNECTIONS=150最大连接数，超过会被屏蔽，默认即可
APF_BAN 默认是1，建议使用0，标示iptables限制
EMAIL_TO="" 填写邮箱账号，到时候有信息会发送到我们邮箱中
BAN_PERIOD=600 代表限制该IP 600秒

Vddos proxy篇

Vddos proxy是什么

引用原文“

vDDoS Protection is Nginx bundled with module HTTP/2; GeoIP; Limit Req, Testcookie; reCaptcha processor…

Working like CloudFlare, but vDDoS is software help you build your own System Firewall.

”

Github地址：https://github.com/duy13/vDDoS-Protection
作者主页：http://vddos.voduy.com/
原作者还提供了更强大的功能以及更详细的说明，有能力的MJJ可以前去研究。

安装

vDDos proxy必须安装在WEB程序以前例如(cPanel, VestaCP, LAMP, LEMP…)。

vDDos proxy暂只支持Centos 5/6/7 64位和CloudLinux Server 5/6/7 64位。

接下来以Centos 7为例。

运行以下命令：

yum -y install epel-release 
yum -y update
yum -y install curl wget gc gcc gcc-c++ pcre-devel zlib-devel make openssl-devel libxml2-devel libxslt-devel
yum -y install gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools gperftools-devel libatomic_ops-devel
yum -y install automake autoconf apr-util-devel GeoIP-devel libatomic_ops-devel

目前最新版本为1.13.1

curl -L https://github.com/duy13/vDDoS-Protection/raw/master/vddos-1.13.1-centos7 -o /usr/bin/vddos
#curl -L https://github.com/duy13/vDDoS-Protection/raw/master/vddos-1.13.1-centos6 -o /usr/bin/vddos #Centos6.X
#curl -L https://github.com/duy13/vDDoS-Protection/raw/master/vddos-1.13.1-centos5 -o /usr/bin/vddos #Centos5.X
chmod 700 /usr/bin/vddos
/usr/bin/vddos help
/usr/bin/vddos setup

至此，安装完毕

使用

Welcome to vDDoS, a HTTP(S) DDoS Protection Reverse Proxy. Thank you for using!
 
               Command Line Usage:
       vddos setup             :installing vDDoS service for the first time into /vddos
       vddos start             :start vDDoS service
       vddos stop              :stop vDDoS service
       vddos restart           :restart vDDoS service
       vddos autostart         :auto-start vDDoS services on boot
       vddos attack            :create a DDoS attacks to HTTP target (in 30 min)
       vddos stopattack        :stop "vddos attack" command
       vddos help              :display this help
 
                                       Please sure download vDDoS source from: vddos.voduy.com

保护某一个网站

# vi /vddos/conf.d/website.conf
 
# Website       Listen               Backend                  Cache Security SSL-Prikey   SSL-CRTkey
default         http://0.0.0.0:80    http://127.0.0.1:8080    no    200      no           no
your-domain.com http://0.0.0.0:80    http://127.0.0.1:8080    no    200      no           no
default         https://0.0.0.0:443  https://127.0.0.1:8443   no    307   /ssl/key.pri /ssl/crt.crt
your-domain.com https://0.0.0.0:443  https://127.0.0.1:8443   no    307   /ssl/key.pri /ssl/crt.crt

参数解释

your-domain.com为你想要保护的域名listen为本地监听IP端口backend为后端IP端口（可以当作为使用CDN或者反代源网站）cache是否进行缓存。

security是保护强度可选no, 307, 200, click, 5s, high, captcha。

强度阶梯：no < 307 < 200 < click < 5s < high < captcha。

5s类似于Cloudflare的五秒盾。

captcha为启用谷歌人机验证码后面会详细说。

SSL-Prikey为SSL密匙。

SSL-CRTket为SSL证书。

5S盾

5s盾的默认文件储存于

/vddos/html/5s.html

如有需要，可自行DIY。

captcha谷歌验证码

因为国内无法使用谷歌验证码，所以本虾也没有去测试。

下面贴出LET上给出的使用方法，请自行测试。

# vi /vddos/conf.d/recaptcha-sitekey.conf
# Website       reCaptcha-sitekey (View KEY in https://www.google.com/recaptcha/admin#list)
your-domain.com     6Lcr6QkUAAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxx
...
# vi /vddos/conf.d/recaptcha-secretkey.conf
DEBUG=False
RE_SECRETS = { 'your-domain.com': '6Lcr6QkUAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxx',
               'your-domain.org': '6LcKngoUAAAAxxxxxxxxxxxxxxxxxxxxxxxxxxx' }

所需的KEY需要在https://www.google.com/recaptcha/admin#list申请，似乎是一个域名对应了一个key。

禁止某个国家的IP访问

修改文件/vddos/conf.d/blacklist-countrycode.conf

#vi /vddos/conf.d/blacklist-countrycode.conf
 
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
    default yes;
    US yes;
    CN no;#这个。。自带禁止中国是啥意思 mjj
 
}
deny 1.1.1.1;

添加白名单

修改文件/vddos/conf.d/whitelist-botsearch.conf

# vi /vddos/conf.d/whitelist-botsearch.conf
 
#Alexa Bot IP Addresses
204.236.235.245; 75.101.186.145;
...

添加白名单之后，启用的如5s盾验证码将不会对白名单IP访客生效。

设置IP直接访问源站

修改文件/vddos/conf.d/cdn-ip.conf

# vi /vddos/conf.d/cdn-ip.conf
 
# Cloudflare
set_real_ip_from 103.21.244.0/22;
...