DDoS protection is a big part of a sysadmins job these days, especially on big forums/hosts.
Obviously, the best plan would be to buy another server, set up a CISCO firewall on it and reroute all traffic to main server. Unfortunately, this would require funds for another dedicated server.
So, the only solution that would work right now is using the box itself as a firewall,this tutorial is for cpanel.
First things first, we make sure that everything is up to date.
Ok, time to install a decent firewall. Because this server is running cPanel, we may as well use a firewall that integrates into cPanel. This is just to allow for easy configuration, CSF is great so we shall be installing that.
Simple as that! Now we need to configure the firewall. Log into http://IP:2086 in an internet browser using your root username and password. Click ConfigServer Security&Firewall under Plugins. Click Firewall configuration.
And click 'change'. Restart csf+lfd then return. Next go to firewall security level. Click High then restart csf+lfd.
Next, we need some extra firewall rules to filter the common packets found in DDoS attacks. We will also limit the number of connections allowed to the server.
next, we will install some connection based IP banning. There is some software called ddos_deflate that we are going to use.
Download ddos_deflate.
Great, that's installed. Now we need to change some settings.
Save the file and exit. Next we need to modify ddos_deflate to work with CSF.
On line “138″ there should be this text
Change that line to
I have also a mod of ddos_deflate to work with SYN packets. There was once a program called syn_deflate that was exactly this, however the script was stopped being made avaliable and was lost forever!
The contents of synd.conf:
and we are all done! The server now has some pretty intense DDoS protection now
Windows DDoS Protection: Optimising the TCP/IP stack
Open notepad, save the following as run.cmd
Press Y to run the tweek, then Q at the menu to disable QOS.
Obviously, the best plan would be to buy another server, set up a CISCO firewall on it and reroute all traffic to main server. Unfortunately, this would require funds for another dedicated server.
So, the only solution that would work right now is using the box itself as a firewall,this tutorial is for cpanel.
First things first, we make sure that everything is up to date.
Code:
yum update && yum upgrade
Ok, time to install a decent firewall. Because this server is running cPanel, we may as well use a firewall that integrates into cPanel. This is just to allow for easy configuration, CSF is great so we shall be installing that.
Code:
wget http://www.configserver.com/free/csf.tgz
tar -xzvf csf.tgz
cd csf
sh install.sh
Simple as that! Now we need to configure the firewall. Log into http://IP:2086 in an internet browser using your root username and password. Click ConfigServer Security&Firewall under Plugins. Click Firewall configuration.
Code:
Change testing to 0
SYN_FLOOD = 1
PORTFLOOD = 80
DENY_TEMP_IP_LIMIT = 100000
And click 'change'. Restart csf+lfd then return. Next go to firewall security level. Click High then restart csf+lfd.
Next, we need some extra firewall rules to filter the common packets found in DDoS attacks. We will also limit the number of connections allowed to the server.
Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -A INPUT -p tcp --syn --dport 80 -d ! 127.0.0.1 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 1/second --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
iptables -N udp-flood
iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
iptables -A udp-flood -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST,ACK,FIN SYN,ACK -j syn-flood # SYN flood
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i eth0 -p udp -j udp-flood
iptables -A INPUT -i eth0 -f -j DROP
service iptables save
next, we will install some connection based IP banning. There is some software called ddos_deflate that we are going to use.
Download ddos_deflate.
Code:
wget http://www.inetbase.com/scripts/ddos/install.sh
sh install.sh
Great, that's installed. Now we need to change some settings.
Code:
nano /usr/local/ddos/ddos.conf
And set these vars:
Code:
* NO_OF_CONNECTIONS=100
* EMAIL_TO="herp@derp.com"
* BAN_PERIOD=12000
* APF_BAN=0
Save the file and exit. Next we need to modify ddos_deflate to work with CSF.
Code:
nano /usr/local/ddos/ddos.sh
On line “138″ there should be this text
Code:
$IPT -I INPUT -s $CURR_LINE_IP -j DROP
Change that line to
Code:
csf -d $CURR_LINE_IP
Code:
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
I have also a mod of ddos_deflate to work with SYN packets. There was once a program called syn_deflate that was exactly this, however the script was stopped being made avaliable and was lost forever!
Code:
mkdir /usr/local/synd
nano /usr/local/synd/synd.conf
The contents of synd.conf:
Code:
##### Paths of the script and other files
PROGDIR="/usr/local/synd"
PROG="/usr/local/synd/synd.sh"
IGNORE_IP_LIST="/usr/local/synd/ignore.ip.list"
CRON="/etc/cron.d/synd.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=10
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=0
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="herp@derp.com"
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=12000
Code:
nano /usr/local/synd/ignore.ip.list
Code:
127.0.0.1
external.ip.address
Code:
nano /usr/local/synd/synd.sh
Code:
#!/bin/sh
load_conf()
{
CONF="/usr/local/synd/synd.conf"
if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then
source $CONF
else
head
echo "\$CONF not found."
exit 1
fi
}
head()
{
echo "Syn-Deflate"
echo "Based on DoS-Deflate"
echo
}
showhelp()
{
head
echo 'Usage: synd.sh [OPTIONS] [N]'
echo 'N : number of SYN_RECV connections (default 10)'
echo 'OPTIONS:'
echo '-h | --help: Show this help screen'
echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
}
unbanip()
Code:
chmod 0755 /usr/local/synd/synd.sh
cp -s /usr/local/synd/synd.sh /usr/local/sbin/synd
/usr/local/synd/synd.sh --cron > /dev/null 2>&1
and we are all done! The server now has some pretty intense DDoS protection now
Windows DDoS Protection: Optimising the TCP/IP stack
Open notepad, save the following as run.cmd
Press Y to run the tweek, then Q at the menu to disable QOS.
Code:
CLS
@ECHO OFF
ECHO ------------------------------------------
ECHO Type "y" to optimize Vista TCP/IP settings
ECHO Type "q" to disable QoS reserved bandwidth
ECHO Type "d" to revert to Vista default values
ECHO Type "n" to cancell patch and exit
ECHO ------------------------------------------
:LOOP
SET /P choice1= Type y,n,q, or d, and press ENTER:
IF /I "%choice1%"=="Y" GOTO TWEAK
IF /I "%choice1%"=="Q" GOTO QOS
IF /I "%choice1%"=="D" GOTO DEFAULT
IF /I "%choice1%"=="N" GOTO CANCEL
:: ELSE
GOTO LOOP
:TWEAK
@ECHO ON
netsh int tcp set global rss=enabled
netsh int tcp set global chimney=enabled
netsh int tcp set global autotuninglevel=normal
netsh int tcp set global congestionprovider=ctcp
netsh int tcp set global ecncapability=disabled
netsh int tcp set global timestamps=disabled
@ECHO OFF
cd %temp%
ECHO > SG_Vista_TcpIp_Patch.reg Windows Registry Editor Version 5.00
ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
ECHO >> SG_Vista_TcpIp_Patch.reg "DefaultTTL"=dword:00000040
ECHO >> SG_Vista_TcpIp_Patch.reg "EnableTCPA"=dword:00000001
ECHO >> SG_Vista_TcpIp_Patch.reg "Tcp1323Opts"=dword:00000001
ECHO >> SG_Vista_TcpIp_Patch.reg "TCPMaxDataRetransmissions"=dword:00000007
ECHO >> SG_Vista_TcpIp_Patch.reg "TCPTimedWaitDelay"=dword:0000001e
ECHO >> SG_Vista_TcpIp_Patch.reg "SynAttackProtect"=dword:00000001
ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
ECHO >> SG_Vista_TcpIp_Patch.reg "LocalPriority"=dword:00000004
ECHO >> SG_Vista_TcpIp_Patch.reg "HostsPriority"=dword:00000005
ECHO >> SG_Vista_TcpIp_Patch.reg "DnsPriority"=dword:00000006
ECHO >> SG_Vista_TcpIp_Patch.reg "NetbtPriority"=dword:00000007
regedit /s SG_Vista_TcpIp_Patch.reg
del SG_Vista_TcpIp_Patch.reg
CLS
ECHO * PATCH SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT *
GOTO SUCCESS
:QOS
@ECHO OFF
cd %temp%
ECHO > SG_Vista_TcpIp_Patch.reg Windows Registry Editor Version 5.00
ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched]
ECHO >> SG_Vista_TcpIp_Patch.reg "NonBestEffortLimit"=dword:00000000
regedit /s SG_Vista_TcpIp_Patch.reg
del SG_Vista_TcpIp_Patch.reg
CLS
ECHO * QOS PATCH SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT *
ECHO.
ECHO * Visit SpeedGuide.net for more broadband info and tweaks *
ECHO.
@PAUSE
EXIT
:DEFAULT
@ECHO ON
netsh int tcp set global rss=default
netsh int tcp set global chimney=default
netsh int tcp set global autotuninglevel=normal
netsh int tcp set global congestionprovider=default
netsh int tcp set global ecncapability=default
netsh int tcp set global timestamps=default
@ECHO OFF
cd %temp%
ECHO > SG_Vista_TcpIp_Default.reg Windows Registry Editor Version 5.00
ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
ECHO >> SG_Vista_TcpIp_Default.reg "DefaultTTL"=-
ECHO >> SG_Vista_TcpIp_Default.reg "EnableTCPA"=-
ECHO >> SG_Vista_TcpIp_Default.reg "Tcp1323Opts"=dword:00000000
ECHO >> SG_Vista_TcpIp_Default.reg "TCPMaxDataRetransmissions"=dword:000000ff
ECHO >> SG_Vista_TcpIp_Default.reg "TCPTimedWaitDelay"=dword:ffffffff
ECHO >> SG_Vista_TcpIp_Default.reg "SynAttackProtect"=-
ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
ECHO >> SG_Vista_TcpIp_Default.reg "LocalPriority"=dword:000001f3
ECHO >> SG_Vista_TcpIp_Default.reg "HostsPriority"=dword:000001f4
ECHO >> SG_Vista_TcpIp_Default.reg "DnsPriority"=dword:000007d0
ECHO >> SG_Vista_TcpIp_Default.reg "NetbtPriority"=dword:000007d1
ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched]
ECHO >> SG_Vista_TcpIp_Default.reg "NonBestEffortLimit"=-
regedit /s SG_Vista_TcpIp_Default.reg
del SG_Vista_TcpIp_Default.reg
CLS
ECHO * VISTA DEFAULT VALUES SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT *
GOTO SUCCESS
:SUCCESS
netsh int tcp show global
@PAUSE
EXIT
:CANCEL
CLS
ECHO * PATCH CANCELLED BY USER - PRESS ANY KEY TO EXIT *
@PAUSE
EXIT
Last edited: