Alright. For starts, 1 to 14 connections is a basic connection for most users. 15 to 29 is asking for it but with the whole firefox max.connections tweat, users put 20 or 25 to load pages faster, which really makes the site slower on a small server. So, 1 to 29 connections you can keep unless you know it's a DoS/DDoS attack.

Alrighty. Before you being, you must login your SSH. Personally, I use terminal via Ubuntu. Login styles may vary upon the tool you are using whether it's a third-party SSH client such as Putty, cPanel, HyperVM, etc.

Alright, once logged in, put in the following command:
Code: 
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
You should get a whole list with a number infront of an ipaddress.

Example list:
1 1.3.3.7
4 69.0.0.69
13 55.55.55.55
88 41.99.0.0

The 1 1.3.3.7 means, 1 connection, ip: 1.3.3.7
Same goes for the rest, number connections, then IP address.

Please note: It will only show connections within the last minute I believe. Not within the past few minutes. But most attackers attack for as long as possible so you can hopefully catch them.

You see the 88 connections on 41.99.0.0 so that would be our attacker.
Now, to ban the IP, type in the following command into SSH

Code: 
iptables -A INPUT -s 41.99.0.0 -j DROP
Obviously, replace 41.99.0.0 with whatever IP Address is that attack.

Now, I'd suggest you save the this into iptables by doing the following command:
Code: 
service iptables save
and then restart the iptables service:
Code: 
service iptables restart
=================================
What if you ban the wrong IP?

You can unban an IP by logging into your SSH. Now, let's say we banned 41.99.0.0 on accident.

Type in the following 2 commands in SSH (one, submit, then the other).
Code: 
iptables -D INPUT -p all -s 41.99.0.0 -j DROP
Code: 
iptables -D OUTPUT -p all -s 41.99.0.0 -j DROP
Of course, replace 41.99.0.0 with the IP you want to unban.

Then again, save and restart the iptables service with the 2 commands below:
Code: 
service iptables save
Code: 
service iptables restart
=============================

I hope this helps anyone that would need this to stop DoS/DDoS attacks the easy way.

=============================
=============================
EDIT: I forgot to add how to ban by port.

To ban an IP by a specific port number, like for instance, you don't want to let 41.99.0.0 on port 80 (by default it's http then put in the following command:
Code: 
iptables -A INPUT -p tcp -s 41.99.0.0 --dport 80 -j DROP
Of course, replace 41.99.0.0 with the IP you want blocked.

Save and restart service.

To unban, it's the same way as the unban method above.

To ban on a different port, replace 80 with the port number.
DXS Reviewed by DXS on . Block DoS/DDoS attacks using IPTables in SSH Alright. For starts, 1 to 14 connections is a basic connection for most users. 15 to 29 is asking for it but with the whole firefox max.connections tweat, users put 20 or 25 to load pages faster, which really makes the site slower on a small server. So, 1 to 29 connections you can keep unless you know it's a DoS/DDoS attack. Alrighty. Before you being, you must login your SSH. Personally, I use terminal via Ubuntu. Login styles may vary upon the tool you are using whether it's a third-party Rating: 5