1. inathan

    inathan Banned Banned

    Oct 11, 2011
    38
    DDoS protection is a big part of a sysadmins job these days, especially on big forums/hosts.
    Obviously, the best plan would be to buy another server, set up a CISCO firewall on it and reroute all traffic to main server. Unfortunately, this would require funds for another dedicated server.

    So, the only solution that would work right now is using the box itself as a firewall,this tutorial is for cpanel.

    First things first, we make sure that everything is up to date.

    Code:
    yum update && yum upgrade
    Ok, time to install a decent firewall. Because this server is running cPanel, we may as well use a firewall that integrates into cPanel. This is just to allow for easy configuration, CSF is great so we shall be installing that.

    Code:
    wget http://www.configserver.com/free/csf.tgz
    tar -xzvf csf.tgz
    cd csf
    sh install.sh
    Simple as that! Now we need to configure the firewall. Log into http://IP:2086 in an internet browser using your root username and password. Click ConfigServer Security&Firewall under Plugins. Click Firewall configuration.

    Code:
    Change testing to 0
    SYN_FLOOD = 1
    PORTFLOOD = 80
    DENY_TEMP_IP_LIMIT  = 100000
    And click 'change'. Restart csf+lfd then return. Next go to firewall security level. Click High then restart csf+lfd.

    Next, we need some extra firewall rules to filter the common packets found in DDoS attacks. We will also limit the number of connections allowed to the server.

    Code:
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    iptables -A INPUT -p tcp --syn --dport 80 -d ! 127.0.0.1 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
    iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
    iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    
    iptables -N syn-flood
    iptables -A syn-flood -m limit --limit 1/second --limit-burst 4 -j RETURN
    iptables -A syn-flood -j DROP
    
    iptables -N udp-flood
    iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
    iptables -A udp-flood -j DROP
    
    iptables -A INPUT -i eth0 -p tcp --tcp-flags  SYN,RST,ACK,FIN SYN,ACK -j syn-flood # SYN flood
    iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A INPUT -i eth0 -p udp -j udp-flood
    iptables -A INPUT -i eth0 -f -j DROP
    service iptables save
    next, we will install some connection based IP banning. There is some software called ddos_deflate that we are going to use.
    Download ddos_deflate.

    Code:
    wget http://www.inetbase.com/scripts/ddos/install.sh
    sh install.sh
    Great, that's installed. Now we need to change some settings.

    Code:
    nano /usr/local/ddos/ddos.conf
    And set these vars:
    Code:
    * NO_OF_CONNECTIONS=100
        * EMAIL_TO="[email protected]"
        * BAN_PERIOD=12000
        * APF_BAN=0
    Save the file and exit. Next we need to modify ddos_deflate to work with CSF.

    Code:
    nano /usr/local/ddos/ddos.sh
    On line “138″ there should be this text

    Code:
    $IPT -I INPUT -s $CURR_LINE_IP -j DROP
    Change that line to

    Code:
    csf -d $CURR_LINE_IP
    Code:
    cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
    I have also a mod of ddos_deflate to work with SYN packets. There was once a program called syn_deflate that was exactly this, however the script was stopped being made avaliable and was lost forever!

    Code:
    mkdir /usr/local/synd
    nano /usr/local/synd/synd.conf
    The contents of synd.conf:

    Code:
    ##### Paths of the script and other files
    PROGDIR="/usr/local/synd"
    PROG="/usr/local/synd/synd.sh"
    IGNORE_IP_LIST="/usr/local/synd/ignore.ip.list"
    CRON="/etc/cron.d/synd.cron"
    APF="/etc/apf/apf"
    IPT="/sbin/iptables"
    
    ##### frequency in minutes for running the script
    ##### Caution: Every time this setting is changed, run the script with --cron
    #####          option so that the new frequency takes effect
    FREQ=1
    
    ##### How many connections define a bad IP? Indicate that below.
    NO_OF_CONNECTIONS=10
    
    ##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
    ##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
    APF_BAN=0
    
    ##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
    ##### KILL=1 (Recommended setting)
    KILL=1
    
    ##### An email is sent to the following address when an IP is banned.
    ##### Blank would suppress sending of mails
    EMAIL_TO="[email protected]"
    
    ##### Number of seconds the banned ip should remain in blacklist.
    BAN_PERIOD=12000
    Code:
    nano /usr/local/synd/ignore.ip.list
    Code:
    127.0.0.1
    external.ip.address
    Code:
    nano /usr/local/synd/synd.sh
    Code:
    #!/bin/sh
    load_conf()
    {
        CONF="/usr/local/synd/synd.conf"
        if [ -f "$CONF" ] && [ ! "$CONF" ==    "" ]; then
            source $CONF
        else
            head
            echo "\$CONF not found."
            exit 1
        fi
    }
    
    head()
    {
        echo "Syn-Deflate"
        echo "Based on DoS-Deflate"
        echo
    }
    
    showhelp()
    {
        head
        echo 'Usage: synd.sh [OPTIONS] [N]'
        echo 'N : number of SYN_RECV connections (default 10)'
        echo 'OPTIONS:'
        echo '-h | --help: Show    this help screen'
        echo '-c | --cron: Create cron job to run this script regularly (default 1 mins)'
        echo '-k | --kill: Block the offending ip making more than N SYN_RECV connections'
    }
    
    unbanip()
    Code:
    chmod 0755 /usr/local/synd/synd.sh
    cp -s /usr/local/synd/synd.sh /usr/local/sbin/synd
    /usr/local/synd/synd.sh --cron > /dev/null 2>&1
    and we are all done! The server now has some pretty intense DDoS protection now





    Windows DDoS Protection: Optimising the TCP/IP stack

    Open notepad, save the following as run.cmd
    Press Y to run the tweek, then Q at the menu to disable QOS.

    Code:
    CLS 
    @ECHO OFF 
    ECHO  ------------------------------------------ 
    ECHO  Type "y" to optimize Vista TCP/IP settings 
    ECHO  Type "q" to disable QoS reserved bandwidth 
    ECHO  Type "d" to revert to Vista default values 
    ECHO  Type "n" to cancell patch and exit 
    ECHO  ------------------------------------------ 
    :LOOP 
    SET /P choice1= Type y,n,q, or d, and press ENTER:    
    IF /I "%choice1%"=="Y" GOTO TWEAK 
    IF /I "%choice1%"=="Q" GOTO QOS 
    IF /I "%choice1%"=="D" GOTO DEFAULT 
    IF /I "%choice1%"=="N" GOTO CANCEL 
    :: ELSE 
    GOTO LOOP 
     
    :TWEAK 
    @ECHO ON 
    netsh int tcp set global rss=enabled 
    netsh int tcp set global chimney=enabled 
    netsh int tcp set global autotuninglevel=normal 
    netsh int tcp set global congestionprovider=ctcp 
    netsh int tcp set global ecncapability=disabled 
    netsh int tcp set global timestamps=disabled 
    @ECHO OFF 
    cd %temp% 
    ECHO > SG_Vista_TcpIp_Patch.reg Windows Registry Editor Version 5.00   
    ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]  
    ECHO >> SG_Vista_TcpIp_Patch.reg "DefaultTTL"=dword:00000040 
    ECHO >> SG_Vista_TcpIp_Patch.reg "EnableTCPA"=dword:00000001 
    ECHO >> SG_Vista_TcpIp_Patch.reg "Tcp1323Opts"=dword:00000001 
    ECHO >> SG_Vista_TcpIp_Patch.reg "TCPMaxDataRetransmissions"=dword:00000007 
    ECHO >> SG_Vista_TcpIp_Patch.reg "TCPTimedWaitDelay"=dword:0000001e 
    ECHO >> SG_Vista_TcpIp_Patch.reg "SynAttackProtect"=dword:00000001 
    ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider] 
    ECHO >> SG_Vista_TcpIp_Patch.reg "LocalPriority"=dword:00000004 
    ECHO >> SG_Vista_TcpIp_Patch.reg "HostsPriority"=dword:00000005 
    ECHO >> SG_Vista_TcpIp_Patch.reg "DnsPriority"=dword:00000006 
    ECHO >> SG_Vista_TcpIp_Patch.reg "NetbtPriority"=dword:00000007 
    regedit /s SG_Vista_TcpIp_Patch.reg 
    del SG_Vista_TcpIp_Patch.reg 
    CLS 
    ECHO  * PATCH SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT * 
    GOTO SUCCESS 
     
    :QOS 
    @ECHO OFF 
    cd %temp% 
    ECHO > SG_Vista_TcpIp_Patch.reg Windows Registry Editor Version 5.00   
    ECHO >> SG_Vista_TcpIp_Patch.reg [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched]  
    ECHO >> SG_Vista_TcpIp_Patch.reg "NonBestEffortLimit"=dword:00000000 
    regedit /s SG_Vista_TcpIp_Patch.reg 
    del SG_Vista_TcpIp_Patch.reg 
    CLS 
    ECHO  * QOS PATCH SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT * 
    ECHO. 
    ECHO  * Visit SpeedGuide.net for more broadband info and tweaks * 
    ECHO. 
    @PAUSE 
    EXIT 
     
    :DEFAULT 
    @ECHO ON 
    netsh int tcp set global rss=default 
    netsh int tcp set global chimney=default 
    netsh int tcp set global autotuninglevel=normal 
    netsh int tcp set global congestionprovider=default 
    netsh int tcp set global ecncapability=default 
    netsh int tcp set global timestamps=default 
    @ECHO OFF 
    cd %temp% 
    ECHO > SG_Vista_TcpIp_Default.reg Windows Registry Editor Version 5.00   
    ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]  
    ECHO >> SG_Vista_TcpIp_Default.reg "DefaultTTL"=- 
    ECHO >> SG_Vista_TcpIp_Default.reg "EnableTCPA"=- 
    ECHO >> SG_Vista_TcpIp_Default.reg "Tcp1323Opts"=dword:00000000 
    ECHO >> SG_Vista_TcpIp_Default.reg "TCPMaxDataRetransmissions"=dword:000000ff 
    ECHO >> SG_Vista_TcpIp_Default.reg "TCPTimedWaitDelay"=dword:ffffffff 
    ECHO >> SG_Vista_TcpIp_Default.reg "SynAttackProtect"=- 
    ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider] 
    ECHO >> SG_Vista_TcpIp_Default.reg "LocalPriority"=dword:000001f3 
    ECHO >> SG_Vista_TcpIp_Default.reg "HostsPriority"=dword:000001f4 
    ECHO >> SG_Vista_TcpIp_Default.reg "DnsPriority"=dword:000007d0 
    ECHO >> SG_Vista_TcpIp_Default.reg "NetbtPriority"=dword:000007d1 
    ECHO >> SG_Vista_TcpIp_Default.reg [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Psched]  
    ECHO >> SG_Vista_TcpIp_Default.reg "NonBestEffortLimit"=- 
    regedit /s SG_Vista_TcpIp_Default.reg 
    del SG_Vista_TcpIp_Default.reg 
    CLS 
    ECHO  * VISTA DEFAULT VALUES SUCCESFULLY APPLIED - PRESS ANY KEY TO EXIT * 
    GOTO SUCCESS 
     
    :SUCCESS 
    netsh int tcp show global 
    @PAUSE 
    EXIT 
      
    :CANCEL 
    CLS  
    ECHO   * PATCH CANCELLED BY USER - PRESS ANY KEY TO EXIT * 
    @PAUSE 
    EXIT
     
    Last edited: Oct 24, 2011
  2. Tulip

    Tulip Member

    Sep 30, 2011
    8
    Not a bad tutorial I must say, it covers basic protection within a linux environment but you cannot beat a good old hardware firewall :D
     
  3. gfxguru

    gfxguru Well-Known Member

    Jul 9, 2009
    951
    nice tut+
     
  4. Kruno

    Kruno Well-Known Member Web Host

    Jun 24, 2009
    1,673
    There is no point running both CSF and ddos deflate. CSF does the same thing(CT_LIMIT).
     
  5. onel0ve

    onel0ve Well-Known Member Web Host

    Aug 19, 2010
    1,275
    as i know ddos deflate work with apf and its store ip into iptables or apf table .
     
  6. caloss

    caloss Active Member

    Mar 30, 2011
    32
    Good tutorial, this will help stopping minor DDOS attacks...if you get a 1GB DDOS attack then the DC will get affected and null your IP ...Only filter service will work actually or setting up a honeypot on your network
     
  7. nba517

    nba517 Banned Banned

    Aug 3, 2011
    1,390
    nice share,is there any one shell script?
     

Share This Page