Skip to content

Commit

Permalink
v7.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
@Enkidu-6
Enkidu-6 committed Mar 8, 2024
1 parent 35d279e commit c06ed79
Show file tree
Hide file tree
Showing 14 changed files with 673 additions and 433 deletions.
52 changes: 21 additions & 31 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,48 +1,36 @@
# Update
The contents of refresh-authorities.sh has changed. Please replace your current copy with the new one to ensure your ipset is properly populated.
If you're updating from a previous version, Use the same download command below. The script tries to determine if you've previously used these scripts by looking for ipv4.txt anywhere on your system and if it exists, it'll give you the choice to update or start fresh.

Please feel free to use the Repository's dicussion board if you need help or if you find a bug in the script.

[Release notes / changelog](https://github.com/Enkidu-6/tor-ddos/releases)

# TLDR Version

If you don't want to read the rest, all you need is to populate the sample files **ipv4.txt** and **ipv6.txt** with your actual IPaddress:port, then chmod 0700 multi.sh and run ./multi.sh
If you don't want to read the rest, all you need is to run the following command:
```sh
bash <(curl -Ls https://raw.githubusercontent.com/Enkidu-6/tor-ddos/main/download.sh)
```
**You must be root or use sudo to run the scripts**

The IP files can contain multiple addresses, multiple Address port combinations or in case of ipv6.txt it can be empty if you don't have an IPV6 address.
All files must be in the same directory and some other scripts also rely on the IP files to be present.
The script will download all the files of the current release to $PWD/tor directory and will take you through the necessary steps and then applies the iptables rules for you. You don't have to do anything except answering a few questions and you're done. You need to know your IPV4 and IPV6 addresses and ORPorts.

You need iptables, ipset and curl on your system. Type iptables -V ipset -V and curl -V to find out if you have them. Almost all linux systems come with iptables / nf_tables. Some may not have have ipset and / or curl. Getting them is as simple as typing apt install curl ipset / yum install curl ipset / dnf install curl ipset / etc ...
If your OS is Ubuntu or Debian, the script will install conntrack utilities and ipset using apt as they don't come with them by default.

You need iptables, ipset and curl on your system. If the script fails, Type iptables -V ipset -V and curl -V to find out if you have them. Getting them is as simple as installing them from your System's native package manager.

**You must be root or use sudo to run the scripts**
**You need to run the above script only once** Don't use the above link again unless you plan to download the repo again and replace all your files.

So this is how it goes:
***After the first run, only use `multi.sh` after each reboot or `update.sh` If you don't want to reboot.***

```
wget https://raw.githubusercontent.com/Enkidu-6/tor-ddos/main/multi.sh
wget https://raw.githubusercontent.com/Enkidu-6/tor-ddos/main/ipv4.txt
wget https://raw.githubusercontent.com/Enkidu-6/tor-ddos/main/ipv6.txt
**update.sh** will save and restore your ipset lists so you don't have to start from scratch. All IP addresses in the block list will remain intact and it will also refresh your allow lists and brings them up to date.

```
Replace the contents of ipv4.txt and ipv6.txt with your own
```
chmod a+x multi.sh
./multi.sh
```

**That's it. You're good to go but please read on.**


The script makes a backup of your original iptables and ip6tables rules. You can restore the original rules by either simply rebooting or running the following commands:

```
iptables-restore < /var/tmp/iptablesRules.v4
ip6tables-restore < /var/tmp/ip6tablesRules.v4
ipset destroy
```
It will also create a file by the name **rules.sh** that contains all the rules in plain text so you can see what was applied.

**You must run a daily cron job with ***refresh-authorities.sh*** to keep the list of IPs for tor authorities, snowflake servers and dual-or relays up to date.**
**You should run a cron job with ***refresh-authorities.sh*** daily or once every few days to keep the list of IPs for tor authorities, snowflake servers, relays and multi-or relays up to date.**
From the same directory as the script, type:
```
(crontab -l ; echo "0 0 * * * $PWD/refresh-authorities.sh") | crontab -
Expand All @@ -64,11 +52,11 @@ They stay in the list for a maximum of 12 hours and then released, unless they b

Every time you run **compare.sh** you are given the option to either automatically remove all the relays or only the relays that are running multiple instances of Tor from the block list.

You can also remove those relays periodically from your block list using the simpler scripts suitable for a cron job mainly **remove.sh** and remove-dual-or.sh Use them as you see fit. You can play with the time interval until you find a number you're happy with.
You can also remove those relays periodically from your block list using the simpler scripts suitable for a cron job mainly **remove.sh** and **remove-dual-or.sh** Use them as you see fit. You can play with the time interval until you find a number you're happy with. I personally never remove them.

**conntrack.sh** will check your conntrack table and gives you a count and show you how many of your connections belong to relays. It will also list IP addresses that have more than 2 connections.
**conntrack.sh** will check your conntrack table and gives you a count and shows you how many of your connections belong to relays. It will also list IP addresses that have more than 2 connections, sorted from the lowest number of connections to the highest.

**update.sh** can be used to update your rules from a lower version to a higher one. It will also create a file named **update-rules.sh** which shows the rules in plain text for your review. It won't work after a reboot though. You must always run **multi.sh** after a reboot since all ipsets are removed upon reboot.
**update.sh** can be used to update your rules from a lower version to a higher one or to simply refresh your rules in case you need to. It will also create a file named **update-rules.sh** which shows the rules in plain text for your review. It won't work after a reboot though. You must always run **multi.sh** or **rules.sh** after a reboot since all ipsets are removed upon reboot.


# tor-ddos The long version
Expand Down Expand Up @@ -164,13 +152,14 @@ ipset create -exist allow-list hash:ip
ipset create tor-$ipaddress-$ORPort hash:ip family inet hashsize 4096 timeout 43200
iptables -t mangle -I PREROUTING -p tcp --destination $ipaddress --dport $ORPort -m set --match-set allow-list src -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -m recent --name ddos-$ipaddress-$ORPort --set
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -m set --match-set 4-or src -m connlimit --connlimit-mask 32 --connlimit-upto 4 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -m set --match-set 4-or src -m connlimit --connlimit-mask 32 --connlimit-upto 2 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -m set --match-set dual-or src -m connlimit --connlimit-mask 32 --connlimit-upto 2 -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --syn --destination $ipaddress --destination-port $ORPort -m connlimit --connlimit-mask 32 --connlimit-above 2 -j SET --add-set tor-$ipaddress-$ORPort src
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -m connlimit --connlimit-mask 32 --connlimit-above 2 -j SET --add-set tor-$ipaddress-$ORPort src
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -m set --match-set tor-$ipaddress-$ORPort src -j DROP
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -m connlimit --connlimit-mask 32 --connlimit-above 1 -j DROP
iptables -t mangle -A PREROUTING -p tcp --destination $ipaddress --destination-port $ORPort -j ACCEPT
iptables -I INPUT -p tcp --destination $ipaddress --destination-port $ORPort -m set --match-set tor-$ipaddress-$ORPort src -j REJECT --reject-with tcp-reset
```

This is what the rules will do:
Expand All @@ -190,6 +179,7 @@ This is what the rules will do:
- Drop any future attempts from those in the list for 12 hours.
- Allow a maximum of one connection per IP to our ORPort for those not in our lists.
- Accept everyone else.
- Reject and close connections by IP addresses in the block list to clear their already established connections as soon as possible.

That's it. Just remember, anytime you reload your firewall, all these iptables rules are erased. At least I'm sure that's what happens with firewall-cmd --reload. Also a reboot will reset your iptables rules to default rules that came with your system. Nevertheless we save the original rules so we can restore them with the following command if anything goes wrong:

Expand Down
108 changes: 61 additions & 47 deletions compare.sh
View file
Original file line number Diff line number Diff line change
@@ -1,55 +1,69 @@
#!/bin/bash
# set -x
green='\033[1;32m'
blue='\033[1;36m'
white='\033[1;37m'
plain='\033[0m'

if [[ ! -e /var/tmp/file2 ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' > /var/tmp/file2
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' >/var/tmp/file2
elif
[[ $(find "/var/tmp/file2" -mmin +60 -print) ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' > /var/tmp/file2
[[ $(find "/var/tmp/file2" -mmin +60 -print) ]]
then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' >/var/tmp/file2
fi
if [[ ! -e /var/tmp/dual-or ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/dual-or.txt' > /var/tmp/dual-or

if [[ ! -e /var/tmp/multi ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/above1-or.txt' >/var/tmp/multi
elif
[[ $(find "/var/tmp/dual-or" -mmin +60 -print) ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/dual-or.txt' > /var/tmp/dual-or
[[ $(find "/var/tmp/multi" -mmin +60 -print) ]]
then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/above1-or.txt' >/var/tmp/multi
fi

for i in `cat ipv4.txt | sed 's/:/-/'`;
do
/usr/sbin/ipset -L tor-$i | awk '{print $1}' > /var/tmp/$i

echo -e "\033[1;32mAll relays in tor-$i:\033[1;37m"
perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/file2
echo -e "\033[1;32mRelays with multiple Tor instances in tor-$i:\033[1;37m"
perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/dual-or

read -p "Remove All 'a'. Only the ones with multiple OR ports 'm'. Do Nothing 'n' (a/m/n) " yn

case $yn in
a ) perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/file2 > /var/tmp/remove-$i ;
for b in `cat /var/tmp/remove-$i` ;
do
/usr/sbin/ipset del tor-$i $b
done;;

m ) perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/dual-or > /var/tmp/dual-$i ;
for b in `cat /var/tmp/dual-$i` ;
do
/usr/sbin/ipset del tor-$i $b
done;;

n ) echo -e "Doing nothing, next list .... \033[0m";
;;

* ) echo -e "invalid response, next list ... \033[0m";
;;

esac

echo -e "\033[1;37m"
read -p "Press Enter to continue" </dev/tty
echo -e "\033[0m"
done;
for i in `cat ipv4.txt | sed 's/:/-/'`;
do
/bin/rm -r /var/tmp/$i /var/tmp/remove-$i /var/tmp/dual-$i 2> /dev/null
done;
for i in $(cat ipv4.txt | sed 's/:/-/'); do
/usr/sbin/ipset -L tor-$i | awk '{print $1}' >/var/tmp/$i

echo -e "${green}All Blocked Addresses in tor-$i:${white}"
/usr/sbin/ipset -L tor-$i | grep 'Number' | awk '{ print $4 }'
sleep 2
echo -e "${green}All relays in tor-$i:${white}"
perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/file2
echo -e "${green}Relays with multiple Tor instances in tor-$i:${white}"
perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/multi

read -p "Remove All 'a'. Only the ones with multiple OR ports 'm'. Do Nothing 'n' (a/m/n) " yn

case $yn in
a)
perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/file2 >/var/tmp/remove-$i
for b in $(cat /var/tmp/remove-$i); do
/usr/sbin/ipset del tor-$i $b
done
;;

m)
perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' /var/tmp/$i /var/tmp/multi >/var/tmp/dual-$i
for b in $(cat /var/tmp/dual-$i); do
/usr/sbin/ipset del tor-$i $b
done
;;

n)
echo -e "Doing nothing, next list .... ${plain}"
;;

*)
echo -e "invalid response, next list ... ${plain}"
;;

esac

echo -e "${white}"
read -p "Press Enter to continue" </dev/tty
echo -e "${plain}"
done

for i in $(cat ipv4.txt | sed 's/:/-/'); do
/bin/rm -r /var/tmp/$i /var/tmp/remove-$i /var/tmp/dual-$i 2>/dev/null
done
85 changes: 44 additions & 41 deletions conntrack-2.sh
View file
Original file line number Diff line number Diff line change
@@ -1,62 +1,65 @@
#!/bin/bash
# set -x
# This script depends on conntrack utilities package (apt get conntrack). If you don't have the nf_conntrack file on your system you can use this script.
if [[ ! -e /var/tmp/file2 ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' > /var/tmp/file2
elif
[[ $(find "/var/tmp/file2" -mmin +60 -print) ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' > /var/tmp/file2
fi
# This script depends on conntrack utilities package (apt install conntrack). If you don't have the nf_conntrack file on your system you can use this script.
green='\033[1;32m'
blue='\033[1;36m'
white='\033[1;37m'
plain='\033[0m'

if [[ ! -e /var/tmp/dual-or ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/dual-or.txt' > /var/tmp/dual-or
if [[ ! -e /var/tmp/file2 ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' >/var/tmp/file2
elif
[[ $(find "/var/tmp/dual-or" -mmin +60 -print) ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/dual-or.txt' > /var/tmp/dual-or
[[ $(find "/var/tmp/file2" -mmin +60 -print) ]]
then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/relays-v4.txt' >/var/tmp/file2
fi

if [[ ! -e /var/tmp/multi-or ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/above2-or.txt' > /var/tmp/multi-or
if [[ ! -e /var/tmp/multi ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/above1-or.txt' >/var/tmp/multi
elif
[[ $(find "/var/tmp/multi-or" -mmin +60 -print) ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/above2-or.txt' > /var/tmp/multi-or
[[ $(find "/var/tmp/multi" -mmin +60 -print) ]]
then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/above1-or.txt' >/var/tmp/multi
fi

if [[ ! -e /var/tmp/snow ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/snowflake.txt' > /var/tmp/snow
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/snowflake.txt' >/var/tmp/snow
elif
[[ $(find "/var/tmp/snow" -mmin +60 -print) ]]; then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/snowflake.txt' > /var/tmp/snow
[[ $(find "/var/tmp/snow" -mmin +60 -print) ]]
then
curl -s 'https://raw.githubusercontent.com/Enkidu-6/tor-relay-lists/main/snowflake.txt' >/var/tmp/snow
fi

echo -e "\033[1;32mConntrack count:\033[0m"
echo -e " \033[1;36m`conntrack -C`\033[0m"
echo -e "${green}Conntrack count:${plain}"
echo -e " ${blue}$(conntrack -C)${plain}"

echo -e "\033[1;32mIPs with more than 2 connections:\033[0;30m"
conntrack -L | grep ESTABLISHED | awk '{ print $5 }' | awk -F= '{ print $2 }' | sort | uniq -c > /var/tmp/5
conntrack -L -f ipv6 | grep ESTABLISHED | awk '{ print $5 }' | awk -F= '{ print $2 }' | sort | uniq -c >> /var/tmp/5
echo -e "${green}IPs with more than 2 connections:\033[0;30m"
conntrack -L | grep ESTABLISHED | awk '{ print $5 }' | awk -F= '{ print $2 }' | sort | uniq -c >/var/tmp/5
conntrack -L -f ipv6 | grep ESTABLISHED | awk '{ print $5 }' | awk -F= '{ print $2 }' | sort | uniq -c >>/var/tmp/5
cd /var/tmp
echo -e "\033[1;37m`cat 5 | grep -v ' 1 ' | grep -v ' 2 '`\033[0m"
echo -e "${white}$(cat 5 | grep -v ' 1 ' | grep -v ' 2 ')${plain}"

echo -e "\033[1;32mIPs with More than Two connections:\033[0m"
cat 5 | grep -v ' 1 ' | grep -v ' 2 ' | awk '{ print $2 }' > 8
echo -e "${green}IPs with More than Two connections:${plain}"
cat 5 | grep -v ' 1 ' | grep -v ' 2 ' | awk '{ print $2 }' >8

echo -e "\033[1;37m There are \033[1;36m`cat 8 | wc -l`\033[1;37m IPs With More than Two connections"
echo -e "\033[1;36m `perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 8 file2 | wc -l` \033[1;37mRelays"
echo -e "\033[1;36m `perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 8 dual-or | wc -l` \033[1;37mMulti-OR"
echo -e "\033[1;36m `perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 8 snow | wc -l` \033[1;37mSnowflake\033[0m"
echo -e "${white} There are ${blue}$(cat 8 | wc -l)${white} IPs With More than Two connections"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 8 file2 | wc -l) ${white}Relays"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 8 multi | wc -l) ${white}Multi-OR"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 8 snow | wc -l) ${white}Snowflake${plain}"

echo -e "\033[1;32mIPs with Two connections:\033[0m"
cat 5 | grep ' 2 ' | awk '{ print $2 }' > 6
echo -e "${green}IPs with Two connections:${plain}"
cat 5 | grep ' 2 ' | awk '{ print $2 }' >6

echo -e "\033[1;37m There are \033[1;36m`cat 6 | wc -l`\033[1;37m IPs with Two connections"
echo -e "\033[1;36m `perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 6 file2 | wc -l` \033[1;37mRelays\033[0m"
echo -e "\033[1;36m `perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 6 dual-or | wc -l` \033[1;37mMulti-OR\033[0m"
echo -e "${white} There are ${blue}$(cat 6 | wc -l)${white} IPs with Two connections"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 6 file2 | wc -l) ${white}Relays${plain}"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 6 multi | wc -l) ${white}Multi-OR${plain}"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 6 snow | wc -l) ${white}Snowflake${plain}"

echo -e "\033[1;32mIPs with One connection:\033[0m"
cat 5 | grep ' 1 ' | awk '{ print $2 }' > 7
echo -e "${green}IPs with One connection:${plain}"
cat 5 | grep ' 1 ' | awk '{ print $2 }' >7

echo -e "\033[1;37m There are \033[1;36m`cat 7 | wc -l`\033[1;37m IPs With One connection"
echo -e "\033[1;36m `perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 7 file2 | wc -l` \033[1;37mRelays"
echo -e "\033[1;36m `perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 7 dual-or | wc -l` \033[1;37mMulti-OR\033[0m"
/bin/rm -r 5 6 7 8
echo -e "${white} There are ${blue}$(cat 7 | wc -l)${white} IPs With One connection"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 7 file2 | wc -l) ${white}Relays"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 7 multi | wc -l) ${white}Multi-OR${plain}"
echo -e "${blue} $(perl -ne 'print if ($seen{$_} .= @ARGV) =~ /10$/' 7 snow | wc -l) ${white}Snowflake${plain}"
/bin/rm -r 5 6 7 8
Loading

0 comments on commit c06ed79

Please sign in to comment.