How to install (D)DoS Deflate and APF (Advanced Policy Firewall) to block bad IPs

Hello.

You could probably find tutorials using google, but here it is, at one place. 

Before few days I had problems with one of the servers I administrate and situation on the server was as follows:
- totally slow network, websites loading was 10-20sec (30)
- at first I though, ok, slow loading, server load is high and some client is doing problems
- after connecting to the server and checking statistics - server CPU was all the time on 20-30%, memory was fine, all services were up-and-running so where is the problem?
- server wasn't on latest #MU, it was just missing 2-3 updates (I'm talking about plesk 11.5) and I could saw in history of changes no security updates whatsoever, but what ever, lets give it a try - nothing, didn't helped
- i did apt-get update && upgrade - still nothing
- current status was that everything is up-to-date, however there are still problems
- listing connections on the server with command:
- there was so many connections from few IPs that I was like wow...after blocking them, server status was normal again (probably some kind of DDOS attack)

At this point, since Plesk doesn't have something like CSF on cPanel, I knew I need something to block this "bad" IPs or at least the ones with a lot of connections automatically, without me doing it manually.

After using google, searching and reading documentation, I've installed successfully (D)DOS Deflate and APF (Advanced Policy Firewall).

What is (D)DOS deflate?
http://deflate.medialayer.com/

What is APF (Advanced Policy Firewall)?
https://www.rfxn.com/projects/advanced-policy-firewall/

What can you do with this two/what do they do? For start, please do take 5-10mins and read above what they are.
- you can setup cron to run every X minute to check for connection number (I personally run script every minute, why not? it lists only IP addresses and that takes few seconds, there is no load on your CPU, you can even set-up it to run with command nice, if you want to)
- script is automatically blocking IP address if there are more then XX connections from it - you specify the number in configuration (more later)
- you can at any time unblock/block current/new IP address (more later) // make sure you whitelist your local IP address from office or local network range or you might end up like me blocked and then laugh hahaha, well, good thing is I could switch to another internet provider and change IP and then connect to the server->unblock myself->whitelist myself
- email is sent you (root)
- you choose ban period (in addition you can block whole IP/network range with APF permanently - more later)
- with APF you choose what ports you would like to open on the servers, all other ports will not work, firewall
- if I forgot something, I will probably mention later on when explaining everything

Installation:
(D)DOS Deflate:
# wget http://www.inetbase.com/scripts/ddos/install.sh
# chmod 0700 install.sh
# ./install.sh

APF (Advanced Policy Firewall):
# wget http://www.rfxn.com/downloads/apf-current.tar.gz
# tar xfz apf-current.tar.gz
# cd apf-9.*
# ./install.sh

After installation, lets configure settings.

First, lets edit "Deflate" conf:
# nano /usr/local/ddos/ddos.conf

- config file will look like this one:
Change following as follows:
- NO_OF_CONNECTIONS - I choose something like 150; I think that is pretty high number and everything above that should be blocked - you can set this lower, lets say, 75-150, but don't go to anything above 300 or 500, that is way too much!
- APF_BAN - leave this on 1, as we configure APF for this one
- EMAIL_TO - email will come to your email, if you ofcourse, want to receive emails (I don't see why not, create new folder in your mail, filter messages as there might be a lot of them)
- BAN_PERIOD - I strongly suggest that you set to something like 1800-3600 (30-60mins), don't set this number very low, better to set higher number, if customers will complain, if some of them get blocked, you can unblock them in a matter of second, question is, what were they doing to get e.g. 300 connections to get blocked?

Now, lets configure APF conf:
- this conf is really good commented by default, so you can read it
- before going in config file, you'll need to use command "ifconfig" in order to find out under which ethX you're running (most likely eth0 or eth1, but it can be different)
- since the file is pretty big, I will post just things that are mandatory in other to make it work and have it up-and-running

# nano /etc/apf/conf.apf (find variables and replace them)
- DEVEL_MODE="0" (set this option to 1 until you're happy with the settings)
- IFACE_IN="eth0" (set this to whatever is result from ifconfig)
- IFACE_OUT="eth0" (same as IFACE_IN)
- IG_TCP_CPORTS="21" (make sure you include here all email ports, SSH port, website ports, because if you leave default value here, no website/email will be working on the server) - mine is set to something like this:
- same goes for variable IG_UDP_CPORTS, EG_TCP_CPORTS, EG_UDP_CPORTS

_____

Lets try to start everything and DEBUG:
- Restart DDos Deflate
# cd /usr/local/ddos/ && ./ddos.sh -c
- great, error before we started...lets fix it
# nano /usr/local/ddos/ddos.sh

- as error said, line 13 is the problem:
change it to 
- save the with changes and restart Deflate again:
# cd /usr/local/ddos/ && ./ddos.sh -c
- on some distributions and OS this will work, but I'm running here Debian 7 and there is no crond startup, just cron, so lets edit the file again:
# nano /usr/local/ddos/ddos.sh
- find and replace all crond with cron (only if you have this error) - on line 70, 81 you will see "service crond restart", change it to "service cron restart"
- save the file and exit
- restart Deflate again with:
# cd /usr/local/ddos/ && ./ddos.sh -c

- now we've successfully restart Deflate, lets start APF now with command:
# /usr/local/sbin/apf -s

There are also other commands/parameters you can use:
-s - start APF
-r - restart APF
-f - stop APF (if something is not working, stop the APF immediatelly, debug later)
-l - list statistics
-st - status of APF
-u - unban IP (in case you want to unban some IP that is already banned and you see it when running "/usr/local/sbin/apf -l", syntax is "/usr/local/sbin/apf -u IP")
-a host - allow connections from "host" (e.g. if you can to whitelist IP, example: /usr/local/sbin/apf -a XX.XX.0.0/16 - you can include just single IP or whole network)
-d host - deny connections from "host" (same as above example, you're just using -d)

How do you know if this is working? Simply check the connections from IP with command:
If you've setuped email in ddos.conf and there is IP that is greater then defined NO_OF_CONNECTIONS, you will receive email. You can also see that IP in file "/etc/apf/deny_hosts.rules" on the bottom of the file (please note that IP will be in file only long as you specify BAN_PERIOD).

If you need to unblock the IP address, simple remove line in "/etc/apf/deny_hosts.rules" and restart APF with command:
# /usr/local/sbin/apf -r

To make everything work, setup cron under your root user as follows:
* * * * * cd /usr/local/ddos/ && ./ddos.sh (this will check for new IP connections and block them - setting cron is MANDATORY, however schedule it by your needs)

Please read their comments in configuration carefully if you're changing something that I didn't mention here.

Feel free to ask any question. I will update this topic in case I find something additional that could be usefull.

Nhận xét

Bài đăng phổ biến từ blog này

Tối Ưu Nginx Và PHP-FPM cho các website có lượng truy cập lớn

Code đặt mật khẩu cho file PHP

Hướng dẫn cài đặt Memcached trên CentOS (tăng tốcc web)