I know very little about shell scripting so I could really use some help.
I really hope what I had in mind is possible to realize with some script since alternative is to purchase a hardware firewall which are expensive for me to rent from hosting companies.
Our site has been getting syn flood attacks but they are not very massive, coming from few ips at the time. But it still causes a load to go higher and slows down the page loading.
What I had in mind is a script that would run this command:
netstat -ntu | grep SYN_RECV
which gives an output like this:
First ip is server ip which I replaced with a fake one. Other group of ips are visitors or attackers. I imagine some of these requests are valid.
tcp 0 0 188.8.131.52:80 184.108.40.206:4772 SYN_RECV
tcp 0 0 220.127.116.11:80 18.104.22.168:4805 SYN_RECV
tcp 0 0 22.214.171.124:80 126.96.36.199:60048 SYN_RECV
tcp 0 0 188.8.131.52:80 184.108.40.206:61908 SYN_RECV
tcp 0 0 220.127.116.11:80 18.104.22.168:4770 SYN_RECV
tcp 0 0 22.214.171.124:80 126.96.36.199:2597 SYN_RECV
tcp 0 0 188.8.131.52:80 184.108.40.206:2595 SYN_RECV
tcp 0 0 220.127.116.11:80 18.104.22.168:1090 SYN_RECV
So I was thinking it would be good to set up a script which would run netstat command like 10 times with 10 second interval in between and grep those visitor ips that repeated in 8 out of 10 of those results and then block them with iptables.
Thanks in advance for any help