Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- DDoS protection is a big part of a sysadmins job these days, especially on big forums/hosts.
- Obviously, the best plan would be to buy another server, set up a CISCO firewall on it and reroute all traffic to main server. Unfortunately, this would require funds for another dedicated server.
- So, the only solution that would work right now is using the box itself as a firewall,this tutorial is for cpanel.
- First things first, we make sure that everything is up to date.
- Code:
- yum update && yum upgrade
- Ok, time to install a decent firewall. Because this server is running cPanel, we may as well use a firewall that integrates into cPanel. This is just to allow for easy configuration, CSF is great so we shall be installing that.
- Code:
- wget http://www.configserver.com/free/csf.tgz
- tar -xzvf csf.tgz
- cd csf
- sh install.sh
- Simple as that! Now we need to configure the firewall. Log into http://IP:2086 in an internet browser using your root username and password. Click ConfigServer Security&Firewall under Plugins. Click Firewall configuration.
- Code:
- Change testing to 0
- SYN_FLOOD = 1
- PORTFLOOD = 80
- DENY_TEMP_IP_LIMIT = 100000
- And click 'change'. Restart csf+lfd then return. Next go to firewall security level. Click High then restart csf+lfd.
- Next, we need some extra firewall rules to filter the common packets found in DDoS attacks. We will also limit the number of connections allowed to the server.
- Code:
- echo 1 > /proc/sys/net/ipv4/tcp_syncookies
- iptables -A INPUT -p tcp --syn --dport 80 -d ! 127.0.0.1 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
- iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
- iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
- iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
- iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -A FORWARD -m state --state INVALID -j DROP
- iptables -N syn-flood
- iptables -A syn-flood -m limit --limit 1/second --limit-burst 4 -j RETURN
- iptables -A syn-flood -j DROP
- iptables -N udp-flood
- iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
- iptables -A udp-flood -j DROP
- iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,ACK -j syn-flood # SYN flood
- iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
- iptables -A INPUT -i eth0 -p udp -j udp-flood
- iptables -A INPUT -i eth0 -f -j DROP
- service iptables save
- next, we will install some connection based IP banning. There is some software called ddos_deflate that we are going to use.
- Download ddos_deflate.
- Code:
- wget http://www.inetbase.com/scripts/ddos/install.sh
- sh install.sh
- Great, that's installed. Now we need to change some settings.
- Code:
- nano /usr/local/ddos/ddos.conf
- And set these vars:
- Code:
- * NO_OF_CONNECTIONS=100
- * EMAIL_TO="herp@derp.com"
- * BAN_PERIOD=12000
- * APF_BAN=0
- Save the file and exit. Next we need to modify ddos_deflate to work with CSF.
- Code:
- nano /usr/local/ddos/ddos.sh
- On line 138 there should be this text
- Code:
- $IPT -I INPUT -s $CURR_LINE_IP -j DROP
- Change that line to
- Code:
- csf -d $CURR_LINE_IP
- Save the file and exit. Next we need to modify ddos_deflate to work with CSF.
- Code:
- cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
- I have also a mod of ddos_deflate to work with SYN packets. There was once a program called syn_deflate that was exactly this, however the script was stopped being made avaliable and was lost forever!
- Code:
- mkdir /usr/local/synd
- nano /usr/local/synd/synd.conf
- The contents of synd.conf:
- Code:
- ##### Paths of the script and other files
- PROGDIR="/usr/local/synd"
- PROG="/usr/local/synd/synd.sh"
- IGNORE_IP_LIST="/usr/local/synd/ignore.ip.list"
- CRON="/etc/cron.d/synd.cron"
- APF="/etc/apf/apf"
- IPT="/sbin/iptables"
- ##### frequency in minutes for running the script
- ##### Caution: Every time this setting is changed, run the script with --cron
- ##### option so that the new frequency takes effect
- FREQ=1
- ##### How many connections define a bad IP? Indicate that below.
- NO_OF_CONNECTIONS=10
- ##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
- ##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
- APF_BAN=0
- ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
- ##### KILL=1 (Recommended setting)
- KILL=1
- ##### An email is sent to the following address when an IP is banned.
- ##### Blank would suppress sending of mails
- EMAIL_TO="herp@derp.com"
- ##### Number of seconds the banned ip should remain in blacklist.
- BAN_PERIOD=12000
- Next
- Code:
- nano /usr/local/synd/ignore.ip.list
- Code:
- 127.0.0.1
- external.ip.address
- Code:
- nano /usr/local/synd/synd.sh
- Code:
- #!/bin/sh
- load_conf()
- {
- CONF="/usr/local/synd/synd.conf"
- if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then
- source $CONF
- else
- head
- echo "\$CONF not found."
- exit 1
- fi
- }
- head()
- {
- echo "Syn-Deflate"
- echo "Based on DoS-Deflate"
- echo
- }
- showhelp()
- {
- head
- echo 'Usage: synd.sh [OPTIONS] [N]'
- echo 'N : number of SYN_RECV connections (default 10)'
- echo 'OPTIONS:'
- echo '-h | --help: Show this help screen'
- echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
- echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
- }
- unbanip()
- Next:
- Code:
- chmod 0755 /usr/local/synd/synd.sh
- cp -s /usr/local/synd/synd.sh /usr/local/sbin/synd
- /usr/local/synd/synd.sh --cron > /dev/null 2>&1
- And we are all done! The server now has some pretty intense DDoS protection now!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement