1. Использование Fail2Ban с подсетями
Fail2Ban можно настроить для блокировки целых подсетей при обнаружении атаки.

Пример настройки:

ini
# /etc/fail2ban/jail.d/ddos.conf
[ddos]
enabled = true
filter = ddos
logpath = /var/log/nginx/access.log # или ваш лог
maxretry = 50  # кол-во запросов до блокировки
findtime = 60   # секунд
bantime = 3600  # время блокировки
banaction = iptables-subnet # специальное действие
Действие для подсетей (/etc/fail2ban/action.d/iptables-subnet.conf):

ini
[Definition]
actionban = iptables -I INPUT -s <ip>/24 -j DROP
actionunban = iptables -D INPUT -s <ip>/24 -j DROP

root@ftpserver:~# iptables -t raw -A PREROUTING -s 45.142.215.0/24 -j DROP
root@ftpserver:~# iptables -t raw -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DROP       all  --  207.171.0.0/16       anywhere            
2    DROP       all  --  180.150.0.0/16       anywhere            
3    DROP       all  --  147.185.0.0/16       anywhere            
4    DROP       all  --  185.239.70.0.16clouds.com/23  anywhere            
5    DROP       all  --  45.62.0.0/16         anywhere            
6    DROP       all  --  r0.it7.net/16        anywhere            
7    DROP       all  --  171.204.0.0/15       anywhere            
8    DROP       all  --  171.192.0.0/13       anywhere            
9    DROP       all  --  171.200.0.0/14       anywhere            
10   DROP       all  --  171.128.0.0/10       anywhere            
11   DROP       all  --  171.206.0.0/16       anywhere            
12   DROP       all  --  62.204.41.0/24       anywhere            
13   DROP       all  --  103.41.0.0/16        anywhere            
14   DROP       all  --  cg-in-f0.1e100.net/16  anywhere            
15   DROP       all  --  cj-in-f0.1e100.net/16  anywhere            
16   DROP       all  --  74.208.0.0/16        anywhere            
17   DROP       all  --  ebuuv1re2tg.expanse.co/24  anywhere            
18   DROP       all  --  64.62.0.0/16         anywhere            
19   DROP       all  --  66.132.0.0/16        anywhere            
20   DROP       all  --  64.227.0.0/16        anywhere            
21   DROP       all  --  164.92.0.0/16        anywhere            
22   DROP       all  --  92.1.0.0/16          anywhere            
23   DROP       all  --  unused-space.coop.net/22  anywhere            
24   DROP       all  --  196.245.0.0/18       anywhere            
25   DROP       all  --  160.223.160.0/20     anywhere            
26   DROP       all  --  173.239.192.0/18     anywhere            
27   DROP       all  --  ./24                 anywhere            
root@ftpserver:~# 

2024/10/11 21:20:13 DEB [RTSP] [conn 91.193.177.93:21564] [s->c] RTSP/1.0 401 Unauthorized
CSeq: 2

^.* DEB \[RTSP\] \[conn <HOST>:\d+\] \[s->c\] RTSP\/1\.0 401 Unauthorized\nCSeq: 2$

# Generated by iptables-save v1.8.7 on Mon Jul  1 19:01:05 2024
*mangle
:PREROUTING ACCEPT [2988:648365]
:INPUT ACCEPT [2957:645796]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1993:679002]
:POSTROUTING ACCEPT [1993:679002]
COMMIT
# Completed on Mon Jul  1 19:01:05 2024
# Generated by iptables-save v1.8.7 on Mon Jul  1 19:01:05 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1981:678570]
:f2b-proftpd - [0:0]
-A INPUT -p tcp -m multiport --dports 21,20,990,989 -j f2b-proftpd
-A INPUT -i lo -p tcp -m tcp ! --dport 21 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49200:54000 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12/0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 12/0 -j ACCEPT
-A OUTPUT -p icmp -j DROP
-A f2b-proftpd -s 59.46.124.38/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 58.226.181.97/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 40.71.29.110/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 35.205.205.158/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 211.149.132.198/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 194.71.217.74/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 177.54.147.173/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 119.28.71.111/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 104.199.31.214/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -s 103.6.223.149/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-proftpd -j RETURN
COMMIT
# Completed on Mon Jul  1 19:01:05 2024
# Generated by iptables-save v1.8.7 on Mon Jul  1 19:01:05 2024
*nat
:PREROUTING ACCEPT [950:109886]
:INPUT ACCEPT [173:8540]
:OUTPUT ACCEPT [17:1344]
:POSTROUTING ACCEPT [17:1344]
COMMIT
# Completed on Mon Jul  1 19:01:05 2024

Уважаемые!

Нужна помощь, для убунты есть такая приблуда nat-rtsp-dkms

Может кто сталкивался, как это настроить, как это работает, есть ли мануал или примеры?