Jump to content
Gonzalez

Omega Sentinel v2 (Anti-[D]DoS Script)

Recommended Posts

Un script scris de ReMuSoMeGa , a good friend !! va ucide orice atac Dos si DDoS. Cand serverul tau e atacat, e posibil ca serverul sa moara, dar acest script, garanteaza ca atacult va fi nimicit, si serverul tau va reveni in 2 minute.

Daca dai mai departe nu uita sa pui CREDIT : ReMuSoMeGa

#!/usr/local/bin/php -q
<?php
/*
#--------------------------------------------------------------------------------------------------------------#
# OMEGA SENTINEL V.2 - The ONLY php Anti-(D)Dos script! #
# Programmed by ReMuSoMeGa (ReMuSoMeGa@MonsterNET.ws) - Feel Free to edit & redistribute #
# but please credit the original author aswell... #
# *********************************************** #
# How does it work? #
# Works perfectly! Sentinel is designed to run as a Daemon (or a background process). #
# You only need one instance of this script running on a server & it will protect all clients. #
# Sentinel works by monitoring your serverload 24/7. Once your load goes over normal operating #
# loads, sentinel is then triggered. It starts off by scanning your server for all active connections. #
# Then, based on your settings, if an IP has too many connections (default is 80), the IP will be assumed #
# as the attacker & it will be banned via APF Firewall - unless the IP is listed under $ignore. #
# After every (D)DoS attack, an email report will be sent to you. #
# This method is also effective against Denial Of Service attacks. This script runs very fast, #
# and can detect & ban multipal attackers before server loads reach a critical point. #
#
# How to use? #
# In order to use this script, it MUST be ran as a root user & the function "shell_exec()" #
# You will also need "APF Firewall" & "GNU Screen" installed. #
# must be enabled in your php.ini settings - if it is disabled or if php is in safe mod, this script #
# will not work. DO NOT ATTEMPT TO RUN VIA BROWSER. #
# First set the variables where the script begins (They are commented & explained). #
# upload this file to any safe directory on your server (non-public). To run this script, type: #
# "screen php /path/to/sentinel.php". "SCREEN" will allow you to run this script as a background #
# process, or a "Daemon". If you do not use 'Screen' to run it, Sentinel will still work, #
# but when your ssh session ends, it will stop running. Screen will keep it running even when you #
# logout of ssh. If you have local access to your server, you don't need to use "SCREEN" to run this. #
#--------------------------------------------------------------------------------------------------------------#
*/



class Sentinel{
var $loadlimit = 15; // server's load limit before Sentinel assumes a DoS attack & kicks in
var $conlimit = 80; // number of connections an IP can have during a DoS attack before Sentinel gets suspicious...
var $ignore = "127.0.0.1, xx.xx.xx.xx"; // ignore these IP's - add your own! - Also, if your using a remote SQL server, add it.
var $path = '/etc/apf/'; // Full path to APF Firewall directory, with trailing slashes
var $rate = 60; // in seconds, how frequently should sentinel check your server load
var $email = 'your@email.tld'; // your email - where logs are sent

function goodload(){
$shell=shell_exec('uptime');
if(eregi('averages',$shell)){
$shell=explode("load averages:",$shell);
} else{
$shell=explode("load average:",$shell);
}
$loads=trim($shell[1]);
$loads=explode(" ",$loads);
$myload=$loads[0];
if($myload>$this->loadlimit){
return 0;
} else{
return 1;
}
}


function ignore($ip){
$ips=explode(",",$this->ignore);
for($i=0;$i<=count($ips)-1;$i++){
$ignore[]=trim($ips[$i]);
}
$rules=file_get_contents($this->path.'deny_hosts.rules');
$rules=explode("\n",$rules);
foreach($rules as $rule){
if(!eregi('#', $rule)){
$ignore[]=$rule;
}
}
foreach($ip as $i){
if(!in_array($i,$ignore)){
$good[]=$i;
}
}
return $good;
}

function restartapf(){
ob_start();
$sh=shell_exec("{$this->path}apf -r");
if($sh){return 1;} else{
return 0; }
ob_end_clean();
}


function banip($ip){
$handle=fopen($this->path.'deny_hosts.rules', "a");
fwrite($handle,"\n".$ip);
fclose($handle);
return 1;
}


function getattackers(){
$shell=shell_exec('netstat -ntu | awk \'{print $5}\' | cut -d: -f1 | sort | uniq -c | sort -nr | more');
//$pattern="/.{1,} [1-9]{1,3}\.[1-9]{1,3}\.[1-9]{1,3}\.[1-9]{1,3}/";
//preg_match_all($pattern, $shell,$out);
//$ips=$out[0];

$gips=explode("\n",$shell);
foreach($gips as $wip){
if(eregi('.',$wip)){
$ips[]=trim($wip);
}
}
foreach($ips as $ip){
$ip=explode(" ",$ip);
if( ($ip[0]>=$this->conlimit) ){
$killthem[]=$ip[1];
}
}
if( eregi('warning, got duplicate',$killthem) ){
return 0;
}
$killthem=@$this->ignore($killthem);
return $killthem;
}



function report($ips){
foreach($ips as $ip){
$rip .= "$ip\n";
}
$subject = "YOUR SERVER WAS ATTACKED!";
$headers= "From: SENTINEL <SENTINEL@Protection.omg";
$body= "Omega Sentinel V2 has detected a (D)Dos attack against your server. The following IP's have been blocked:\n:\n-------------\n$rip\n------------";
mail($this->email,$subject,$body,$headers);
}



function guard(){
do{
sleep($this->rate);
$load=$this->goodload();
if(!$load){
echo '.';
$ips=$this->getattackers();
if($ips){
foreach($ips as $ip){
$this->banip($ip);
}
$this->restartapf();
$this->report($ips);
}
}
} while(1>0);
}


}
$Sentinel=new Sentinel;
$Sentinel->guard();
?>

Bafta!

Link to comment
Share on other sites

25 minutes ago, DjSystem said:

Misto scriptul @Gonzalez o sa il testez pe un root, am si o intrebare :

 

var $ignore = "127.0.0.1, xx.xx.xx.xx"; // ignore these IP's - add your own!   <<< Aici adaug ip meu sau cele care vor da flood ca sa inteleg mai exact cum e. Mersi

Script-ul este Anti-DDoS, nu pentru flood si oricum nu mai este de actualitate avand in vedere ca ultima postare este din 2007.

Link to comment
Share on other sites

20 hours ago, ARUBA said:

Script-ul este Anti-DDoS, nu pentru flood si oricum nu mai este de actualitate avand in vedere ca ultima postare este din 2007.

Oarecum poate unii il folosesc inca :D doar ca nu inteleg treaba aia cu var $ignore = la ce e referitoare ,la ip meu sau cele care da flood ...

Link to comment
Share on other sites

3 hours ago, DjSystem said:

Oarecum poate unii il folosesc inca :D doar ca nu inteleg treaba aia cu var $ignore = la ce e referitoare ,la ip meu sau cele care da flood ...

Then, based on your settings, if an IP has too many connections (default is 80), the IP will be assumed      #
# as the attacker & it will be banned via APF Firewall - unless the IP is listed under $ignore

Hai Gogule, ce naiba, scrie clar. E un fel de whitelist pentru ca IP-urile folosite de tine sa nu cumva sa fie blacklist-ate/blocate.

Edited by ARUBA
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...