Install and configure APF and (D)DOS-Deflate
A supported website has recently been under a distributed vulnerability scanning that has similarities to a DOS attack.
Countermeasures had been taken and that leaded to this post, "A detailed tutorial on how to install and configure APF (Advanced Policy Firewall) and (D)DOS-Deflate"
Countermeasures had been taken and that leaded to this post, "A detailed tutorial on how to install and configure APF (Advanced Policy Firewall) and (D)DOS-Deflate"
APF
What is APF (Advanced Policy Firewall)?
Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of today’s Linux servers. The configuration is designed to be very informative and easy to follow. The management on a day-to-day basis is conducted from the command line with the ‘apf’ command, which includes detailed usage information on all the features.
Requirements:
- Root SSH access to your server
- Root SSH access to your server
Install
Login to your server through SSH and su to the root user.
- cd /root/downloads or another temporary folder where you store your files.
- wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
- tar -xvzf apf-current.tar.gz
- cd apf-0.9.5-1/ or whatever the latest version is.
- Run the install file: ./install.sh
You will receive a message saying it has been installed
.: APF installed
Install path: /etc/apf
Config path: /etc/apf/conf.apf
Executable path: /usr/local/sbin/apf
- Configure the firewall: (i mostly use nano editor) nano /etc/apf/conf.apf
General configuration to get your firewall running. This isn't a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.
You may like to use DShield.org's "block" list of top networks that have exhibited suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"
- Configuring Firewall Ports:Cpanel Servers
recommended settings for Cpanel Servers
Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"Ensim Servers
recommended settings for Ensim ServersCommon ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"
Common egress (outbound) ports
# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"Plesk Servers
recommended settings for Plesk Servers# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,4643,5224,8443,8447,10000,
35000_35999"# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="20,21,53,1040"# Common ICMP (inbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"# Common egress (outbound) TCP ports
EG_TCP_CPORTS="20,21,22,25,53,80,110,143,443,465,993,995,3306,5224,8443,10000,35000_35999"# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,37,53,123,1040"# Common ICMP egress (outbound) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"Save your changes! Ctrl + X then y (nano editor)
- Starting the firewallapf -sOther commands:
usage /usr/local/sbin/apf [OPTION]
-s|--start ............. load firewall policies
-r|--restart ........... flush & load firewall
-f|--flush|--stop ...... flush firewall
-l|--list .............. list chain rules
-st|--status ........... firewall status
-a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall
- After everything is fine, change the DEV optionnano /etc/apf/conf.apf# Set firewall cronjob (devel mode)
# 1 = enabled / 0 = disabled
DEVEL_MODE="0"It is recommended changing this back to "0" after you've had a chance to ensure everything is working well and tested the server out.Save your changes! Ctrl + X then yRestart the firewall: apf -r
- Make APF Start automatically at boot timeTo autostart apf on reboot, run this:
chkconfig --level 2345 apf on
To remove it from autostart, run this:
chkconfig --del apf
What is DOS-Deflate?
MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:
MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting's Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.
Install
- Login to your server as root
- Download the install script
- Run the installerssh install.sh
DOS-Deflate should now be installed.
Please note that DOS-Deflate uses APF to ban IPs so you must have it installed for DOS-Deflate to work properly.
Customizing DOS-Deflate is very easy. You have to edit /usr/local/ddos/ddos.conf with your favorite editor
e.g. nano /usr/local/ddos/ddos.conf
Every setting is explained in the configuration file.
e.g.
##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150
NO_OF_CONNECTIONS=150
##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1
##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
##### KILL=1 (Recommended setting)
KILL=1
##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"
##### Blank would suppress sending of mails
EMAIL_TO="root"
##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=600
BAN_PERIOD=600
(You can experiment with the above settings. e.g. At a time period of frequent DOS attacks you can change no_of_connections to 50 and/or increase the ban_period)
Save your changes! Ctrl + X then y
Nhận xét
Đăng nhận xét