Difference between revisions of "User:Ryuzakiaiko"

From Dacentec
Jump to: navigation, search
(How to help against (D)DOS attacks on your server)
 
(Blanked the page)
 
Line 1: Line 1:
'''How to help against (D)DOS attacks on your server'''
 
  
 
Many people today have problems with DOS or DDOS attacks, which generates a flood that can take down most of the servers on the web. To fight against simple of these attacks, you can try some rules at iptables, which is the software firewall for Linux.
 
 
This tutorial should work fine on any linux with IPTABLES, but is only tested for CentOS 5 and 6.
 
 
 
The commands below will rate limit ICMP packets in 40 per second, with a burstable limit of 100 per second for INPUT and FORWARD connections. Then it should work even on forwarded connections, like openvz containers.
 
 
 
iptables -A INPUT -p icmp -m limit --limit  40/s --limit-burst 100 -j ACCEPT
 
 
iptables -A INPUT -p icmp -j DROP
 
 
iptables -A FORWARD -p icmp -m limit --limit  40/s --limit-burst 100 -j ACCEPT
 
 
iptables -A FORWARD -p icmp -j DROP
 
 
 
 
 
This one will rate limit TCP SYN packets in 800 per second per IP, with a burstable limit of 1000 per second per IP for INPUT and FORWARD connections. Then it should work even on forwarded connections, like openvz containers.
 
 
 
iptables -A INPUT -p tcp --syn -m limit --limit 800/s --limit-burst 1000 -j ACCEPT
 
 
iptables -A INPUT -p tcp --syn -j DROP
 
 
iptables -A FORWARD -p tcp --syn -m limit --limit 800/s --limit-burst 1000 -j ACCEPT
 
 
iptables -A FORWARD -p tcp --syn -j DROP
 
 
 
 
 
And finally, for UDP packets also in 800 per second per IP, with a burstable limit of 1000 per second per IP for INPUT and FORWARD connections. Then it should work even on forwarded connections, like openvz containers.
 
 
 
iptables -A INPUT -p udp -m limit --limit 800/s --limit-burst 1000 -j ACCEPT
 
 
iptables -A INPUT -p udp -j DROP
 
 
iptables -A FORWARD -p udp -m limit --limit 800/s --limit-burst 1000 -j ACCEPT
 
 
iptables -A FORWARD -p udp -j DROP
 
 
 
 
 
Also, we may add a whitelist, and turn it more automatic using the script: https://www.virtushost.net/firewall/firewall.txt
 
 
This script will download automatically the updated whitelist from some URL, which in this case is defined with my own IPs whitelist, however, you can change it on the line 12 to your own whitelist.
 
If you want to use mine script without changing the whitelist, you can simple type at your SSH the line below:
 
 
rm -rf firewall.txt.old;mv firewall.txt firewall.txt.old;rm -rf firewall.sh;wget https://www.virtushost.net/firewall/firewall.txt --no-check-certificate;mv firewall.txt firewall.sh;chmod +x firewall.sh;./firewall.sh
 
 
 
To enchance even more the protection against malicious floods, we can use DDOS Deflate, which is a free software that detects IPs that exceed a certain number of simultaneous connections, and block these IPs.
 
At this tutorial, I am using a custom configuration, which allows you to use even with openvz containers at the hardware node, duplicating the firewall rules for the chain FORWARD.
 
The limits used on this configuration are 2000 simultaneous connections per IP, and ban period of 900 seconds with IPTABLES. You can simple install typing:
 
 
rm -rf /usr/local/ddos/
 
 
rm -rf /usr/local/sbin/ddos
 
 
mkdir /usr/local/ddos/
 
 
cd /usr/local/ddos/
 
 
wget https://www.virtushost.net/firewall/ddos.conf --no-check-certificate
 
 
wget https://www.virtushost.net/firewall/ignore.ip.list --no-check-certificate
 
 
wget https://www.virtushost.net/firewall/ddos.txt --no-check-certificate
 
 
mv ddos.txt ddos.sh
 
 
chmod 0755 /usr/local/ddos/ddos.sh
 
 
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
 
 
/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1
 
 
echo "*/1 * * * * root /usr/local/ddos/ddos.sh >/dev/null 2>&1" >> /etc/crontab
 
 
 
 
Again, we have the whitelist, which is "https://www.virtushost.net/firewall/ignore.ip.list" and you can replace with your own whitelist BUT, do not miss of including 127.0.0.1 on this case.
 

Latest revision as of 05:13, 27 June 2015