Comprehensive attack protection (OOG and more)

Results 1 to 1 of 1
  1. #1
    Member SoulStar is offline
    MemberRank
    Jun 2020 Join Date
    RussiaLocation
    46Posts

    Comprehensive attack protection (OOG and more)

    Comprehensive attack protection (OOG and more)
    Protection against OOG attacks based on iptables:
    First of all, we create the firewall script rules, you can name it as you wish.
    Code:
    iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length 500:65535 -j LOG --log-prefix "PW"
    With this rule, we record all game packages from port 29000 in sizes from 500 to 65535 bytes.
    Code:
    iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length 500:65535 -m recent --name packets --set
    iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length 500:65535 -m recent --name packets --update --seconds 1 --hitcount 100 -j REJECT
    With these rules, we block the user if the server received from him more than 100 packets of size 500 - 65535 bytes in 1 second on the 29000 (game) port.
    Code:
    iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length SIZE -m recent --name packet1 --set
    iptables -A INPUT -p tcp -m multiport --dports 29000 -m length --length SIZE -m recent --name packet1 --update --seconds 15 --hitcount 3 -j REJECT
    With these rules, we block users who send more than 3 packets in 15 seconds to port 29000. SIZE - packet size in bytes.

    How to track packet size in bytes?
    After the first rule, where we log all the game packages, you can see them in the / var / log / syslog file or with the dmesg command in the server console.
    When an attack goes on, syslog will have many identical packets in a short time.
    Code:
    [68003.357231] PW IN=ipip1 OUT= MAC= SRC=USER IP ADRESS DST=*.*.*.* LEN=547 TOS=0x00 PREC=0x00 TTL=241 ID=13328 DF PROTO=TCP SPT=22511 DPT=63947 WINDOW=254 RES=0x00 ACK PSH URGP=0
    In the example above, the packet size is 'LEN = 547'.


    With OOG protection sorted out. Let's move on to other ways to compete with NewDestiny.
    Brutus accounts. Everything is completely simple here:
    #block brute force login
    Code:
    iptables -A INPUT -p tcp -m multiport --dports 29000 -m conntrack --ctstate NEW -m recent --name brute --set
    iptables -A INPUT -p tcp -m multiport --dports 29000 -m conntrack --ctstate NEW -m recent --name brute --update --seconds 30 --hitcount 3 -j REJECT
    With this rule, we block the user's IP for 30 seconds if he made more than 3 requests to connect to port 29000.

    Hacking server protection recommendations:
    • Make a complete restriction on ports other than gaming through iptables.
    • Make a connection to the server using ssh key (s) with a code word.Use the latest versions of mysql, apache2 and other important packages.
    • After loading through OOG, use logrotate, otherwise, when backing up the logs, the RAM of your server will be fully used. This may be a consequence of hacking.
    • Do not use third-party software on the game server.
    • Use a non-standard player password filter. For several hours on our authorization there were over 50,000 invalid authorization attempts. 30% of our players matched usernames from these username / password pairs.


    We prefer fair competition, we do not have time and extra finance for attacks. Do not mess with these people, it can end badly.

    Source: https://emudevs.ru/threads/comprehensive-attack -protection-OOG-and-more.515/






Advertisement