ROOT = become root
-SCRIPTS += logtrawl
-
## Installation.
install: all
firewall_script=./`hostname`.sh && \
$(ROOT) ./$$firewall_script
for i in $(HOSTS); do \
$(ROOT) scp $$i.sh $$i:/etc/init.d/firewall; \
- for j in $(SCRIPTS); do \
+ [ "$(SCRIPTS)" ] && for j in $(SCRIPTS); do \
$(ROOT) ssh $$i <$$j " \
cd /usr/local/sbin && \
rm -f $$j.new && \
+++ /dev/null
-#! /bin/bash
-
-set -e
-
-## DNS DDOS victims.
-dns_victims=$(
- sed -n '
- /^.*named.*client \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\)#.*:.*view inet.*NS\/IN.*denied.*$/ s//\1/p
- ' /var/log/daemon.log |
- sort -u |
- while read addr; do
- if ! ipset -qT ddos-evil-dns "$addr"; then
- echo "$addr"
- fi
- done
-)
-case "$dns_victims" in
- "") ;;
- *)
- echo 'DNS DDOS victim addresses:'
- ipset -N ddos-evil-dns iphash >/dev/null 2>&1 || :
- for addr in $dns_victims; do
- echo " $addr"
- ipset -A ddos-evil-dns "$addr" || :
- done
- ;;
-esac
###--------------------------------------------------------------------------
### vampire-specific rules.
-m4_divert(35)m4_dnl
-errorchain ddos-evil-dns DROP
-## Invalid DNS request with probably-forged sender address, with intent to
-## cause DDOS.
-
m4_divert(82)m4_dnl
-## Repelling evil DDos attack.
-run ipset -N ddos-evil-dns iphash 2>/dev/null || :
-run iptables -A inbound -g ddos-evil-dns \
- -m set --set ddos-evil-dns src \
- -p udp --destination-port $port_dns
-
## Externally visible services.
allowservices inbound tcp \
finger ident \
~mdw / firewall / commitdiff