Advertisement
Guest User

script

a guest
Jan 31st, 2015
176
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.84 KB | None | 0 0
  1. DDoS protection is a big part of a sysadmins job these days, especially on big forums/hosts.
  2. Obviously, the best plan would be to buy another server, set up a CISCO firewall on it and reroute all traffic to main server. Unfortunately, this would require funds for another dedicated server.
  3.  
  4. So, the only solution that would work right now is using the box itself as a firewall,this tutorial is for cpanel.
  5.  
  6. First things first, we make sure that everything is up to date.
  7. Code:
  8. yum update && yum upgrade
  9.  
  10. Ok, time to install a decent firewall. Because this server is running cPanel, we may as well use a firewall that integrates into cPanel. This is just to allow for easy configuration, CSF is great so we shall be installing that.
  11. Code:
  12. wget http://www.configserver.com/free/csf.tgz
  13. tar -xzvf csf.tgz
  14. cd csf
  15. sh install.sh
  16.  
  17. Simple as that! Now we need to configure the firewall. Log into http://IP:2086 in an internet browser using your root username and password. Click ConfigServer Security&Firewall under Plugins. Click Firewall configuration.
  18. Code:
  19. Change testing to 0
  20. SYN_FLOOD = 1
  21. PORTFLOOD = 80
  22. DENY_TEMP_IP_LIMIT = 100000
  23.  
  24. And click 'change'. Restart csf+lfd then return. Next go to firewall security level. Click High then restart csf+lfd.
  25.  
  26. Next, we need some extra firewall rules to filter the common packets found in DDoS attacks. We will also limit the number of connections allowed to the server.
  27.  
  28. Code:
  29. echo 1 > /proc/sys/net/ipv4/tcp_syncookies
  30. iptables -A INPUT -p tcp --syn --dport 80 -d ! 127.0.0.1 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
  31. iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  32. iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  33. iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  34. iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
  35. iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
  36. iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
  37. iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
  38. iptables -A INPUT -m state --state INVALID -j DROP
  39. iptables -A OUTPUT -m state --state INVALID -j DROP
  40. iptables -A FORWARD -m state --state INVALID -j DROP
  41.  
  42. iptables -N syn-flood
  43. iptables -A syn-flood -m limit --limit 1/second --limit-burst 4 -j RETURN
  44. iptables -A syn-flood -j DROP
  45.  
  46. iptables -N udp-flood
  47. iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
  48. iptables -A udp-flood -j DROP
  49.  
  50. iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,ACK -j syn-flood # SYN flood
  51. iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
  52. iptables -A INPUT -i eth0 -p udp -j udp-flood
  53. iptables -A INPUT -i eth0 -f -j DROP
  54. service iptables save
  55.  
  56. next, we will install some connection based IP banning. There is some software called ddos_deflate that we are going to use.
  57. Download ddos_deflate.
  58. Code:
  59. wget http://www.inetbase.com/scripts/ddos/install.sh
  60. sh install.sh
  61.  
  62. Great, that's installed. Now we need to change some settings.
  63.  
  64. Code:
  65. nano /usr/local/ddos/ddos.conf
  66.  
  67. And set these vars:
  68. Code:
  69. * NO_OF_CONNECTIONS=100
  70. * EMAIL_TO="herp@derp.com"
  71. * BAN_PERIOD=12000
  72. * APF_BAN=0
  73.  
  74. Save the file and exit. Next we need to modify ddos_deflate to work with CSF.
  75. Code:
  76. nano /usr/local/ddos/ddos.sh
  77.  
  78. On line 138 there should be this text
  79. Code:
  80. $IPT -I INPUT -s $CURR_LINE_IP -j DROP
  81.  
  82. Change that line to
  83. Code:
  84. csf -d $CURR_LINE_IP
  85. Save the file and exit. Next we need to modify ddos_deflate to work with CSF.
  86.  
  87. Code:
  88. cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
  89.  
  90. I have also a mod of ddos_deflate to work with SYN packets. There was once a program called syn_deflate that was exactly this, however the script was stopped being made avaliable and was lost forever!
  91. Code:
  92. mkdir /usr/local/synd
  93. nano /usr/local/synd/synd.conf
  94.  
  95. The contents of synd.conf:
  96. Code:
  97. ##### Paths of the script and other files
  98. PROGDIR="/usr/local/synd"
  99. PROG="/usr/local/synd/synd.sh"
  100. IGNORE_IP_LIST="/usr/local/synd/ignore.ip.list"
  101. CRON="/etc/cron.d/synd.cron"
  102. APF="/etc/apf/apf"
  103. IPT="/sbin/iptables"
  104. ##### frequency in minutes for running the script
  105. ##### Caution: Every time this setting is changed, run the script with --cron
  106. ##### option so that the new frequency takes effect
  107. FREQ=1
  108.  
  109. ##### How many connections define a bad IP? Indicate that below.
  110. NO_OF_CONNECTIONS=10
  111.  
  112. ##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
  113. ##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
  114. APF_BAN=0
  115.  
  116. ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
  117. ##### KILL=1 (Recommended setting)
  118. KILL=1
  119.  
  120. ##### An email is sent to the following address when an IP is banned.
  121. ##### Blank would suppress sending of mails
  122. EMAIL_TO="herp@derp.com"
  123.  
  124. ##### Number of seconds the banned ip should remain in blacklist.
  125. BAN_PERIOD=12000
  126.  
  127. Next
  128.  
  129. Code:
  130. nano /usr/local/synd/ignore.ip.list
  131.  
  132. Code:
  133. 127.0.0.1
  134. external.ip.address
  135. Code:
  136. nano /usr/local/synd/synd.sh
  137.  
  138. Code:
  139. #!/bin/sh
  140. load_conf()
  141. {
  142. CONF="/usr/local/synd/synd.conf"
  143. if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then
  144. source $CONF
  145. else
  146. head
  147. echo "\$CONF not found."
  148. exit 1
  149. fi
  150. }
  151.  
  152. head()
  153. {
  154. echo "Syn-Deflate"
  155. echo "Based on DoS-Deflate"
  156. echo
  157. }
  158.  
  159. showhelp()
  160. {
  161. head
  162. echo 'Usage: synd.sh [OPTIONS] [N]'
  163. echo 'N : number of SYN_RECV connections (default 10)'
  164. echo 'OPTIONS:'
  165. echo '-h | --help: Show this help screen'
  166. echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
  167. echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
  168. }
  169.  
  170. unbanip()
  171.  
  172. Next:
  173.  
  174. Code:
  175. chmod 0755 /usr/local/synd/synd.sh
  176. cp -s /usr/local/synd/synd.sh /usr/local/sbin/synd
  177. /usr/local/synd/synd.sh --cron > /dev/null 2>&1
  178.  
  179. And we are all done! The server now has some pretty intense DDoS protection now!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement