Jul 30 2008

[Linux] Installing automatic protection from DoS and DDoS attacks to your server

Category: Articles,Linux administrationFractalizeR @ 3:11 pm

During several months server I was responsible for was under DDoS attack, that almost flooded it. Due to lacking Linux skills, I almost lost my hope in protecting it by myself and started to think about paying some specialist to protect my server.

But suddenly, I found a miraculos and VERY easy to install and use solutuons I want to share with you today.

DDoS-Deflate

DDoS-Deflate is a couple of bash scripts, that is run every X minutes, analyze the total number of connections to your server from every IP address using netstats command and temporarily blacklist IPs, that have more than Y active connections to your server at the moment, script runs. Blacklisting is done using either iptables or APF whichever you have installed. Simple!

Installation

To install ddos protection scripts just execute the following commands from console:

cd /usr/local
mkdir mytmp
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

That’s all… :)

Configuration

To configure DDOS-Deflate (that’s the name of this script) do the following:

cd /usr/local/ddos
edit ddos.conf

Last line opens ddos.conf file in editor. You can use vi if you like. I chose edit because I am a Windows user and Edit has an interface familiar to me.

Let’s consider all available settings one by one:

PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

These above are about various software locations. I recommend you leave them as is. They should suite the majority of systems. BTW, if your system doesn’t have APF, it is ok. Script can work with iptables also.

FREQ=1

This setting affects how often (in minutes) you need to execute ddos protection script. After changing this param, please execute command

ddos –cron

to update cron sheduler.

NO_OF_CONNECTIONS=150

This is the maximum number of connections acceptable for your server. I recommend to set this value to about 20-40 depending on your server.

BTW, don’t repeat my mistake 😉 Should you decide to use softwares, that open really many connections to your server, like FileZilla FTP client (it spawns many FTP connections to upload your folder ASAP), you will get blocked 😉

APF_BAN=1

If you have AFP, then set this to 1. If you have not, script will use iptables. To check if you have AFP or not, just execute command

afp

If you want to use IPTables, don’t forget to start service by

service iptables start

and to have it autoloading at system startup by\

chkconfig iptables on

KILL=1

If you just testing your script, set this to 0. In this case, IPs will not get banned.

EMAIL_TO="root"

This email address will have messages about blacklisted IPs. Leave it to root to skip emailing.

BAN_PERIOD=600

Set this to a number of seconds, for how long to block entruder. I recommend to set this to 1800-3600 (30-60 minutes).

You can also add IPs to /usr/local/ddos/ignore.ip.list to whitelist them.

Uninstallation

You can always uninstall DDoS-Deflate by executing

cd /usr/local/mytmp
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

That’s all!

Tags: , , , , , ,

5 Responses to “[Linux] Installing automatic protection from DoS and DDoS attacks to your server”

  1. what is the better way to protect my server from DDos Attack - Security - The UNIX and Linux Forums says:

    […] simple (D)DOS attacks. Script itself is here. I wrote a small article on how to install and use it here. Next step can be installing mod_dosevasive for Apache to get rid of HTTP DDOS […]

  2. bristol says:

    Thanks for your instructions!
    I followed them and have received a couple emails from the script, and both report something like:

    Banned the following ip addresses on Wed Jan 7 22:15:01 UTC 2009
    36 with 36 connections

    There seems to be something wrong. Any ideas?
    Thanks.

  3. bristol says:

    Fixed:

    Change line 117 in ddos.sh to:
    netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sed -n ‘/[0-9]/p’ | sort | uniq -c | sort -nr > $BAD_IP_LIST

    This will pass though only lines containing numbers (i.e. IP addresses)

  4. FractalizeR says:

    Glad it helped :) ddos.sh is not written by me so I cannot change the source. But thanks for a comment.

Leave a Reply

You must be logged in to post a comment. Login now.