Server protection + DDOS/FLOOD/SPAM

[LegalSin(scam)]

Here is a little script i rote to protect the server for all know FLOOD/SPAM/DDOS,

basically this script says to the ddoser i don't want to play with you.

Of course if the attack its grater then your bandwidth it wont stop them.

But however you can do this:

netstat -an | grep :53 (to see the ips that ddos your server then you go add manual).

Basicly no firewall can stop a ddos but however it can be done by a human hand here is an example of a blackhole:

Code:

route add 209.62.76.146 reject

or

Code:

ip route add blackhole 209.62.76.146/29

Depends on your configuration.

Now below you will see the scripts that actually blocks all kind of attacks from harming your pc or scanners spam flood etc.


Firewall.sh using iptables:

Code:

#Flash IPTABLES
iptables -F

#This rule accepts connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#This rule enables local-host connection
iptables -A INPUT -i lo -j ACCEPT

#This rule allows connections to port 29000 if the connection its 
#state new which a normal pc would connect and not a spammer or a 
#flooder pc.
#duplicate line below if you need more ports open a new port
iptables -A INPUT -m tcp -p tcp -m state --state NEW --dport 29000 -j ACCEPT

#This rule accepts all connections from a host in any port
#you can use this to acces your mysql server or whatever managing site 
#you have including ssh connection and ftps
#Replace 0.0.0.0 with your ip to allow SSH connection
iptables -A INPUT -m tcp -p tcp -s 0.0.0.0 -j ACCEPT

#This rule drops all coonection that is not in state new(illegal)
#or not predefined by this firewall including ddos syn flood etc.
iptables -A INPUT -j DROP

So basic all scripts i seen on many forums including this one has a script with 20+ lines that dose a worst job then this one @_@.

Make sure you have this lines un-commented in /etc/sysctl.conf

Code:

net.ipv4.icmp_echo_ignore_all=0
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
net.ipv4.tcp_syncookies=1


# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
_or_

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0

After you un-commented the lines please open ssh(putty) and type:

Code:

sysctl -p

to apply the changes you made to sysctl

PLEASE NOTE ALL THE ABOVE SCRIPTS ARE TESTED 100% UNDER DDOS AND OTHER TYPE OF FLOODS IF THEY DOESN'T WORK ITS BECAUSE YOU DID SOMETHING WRONG!!!

The one that find this usefully please trow me a banana (LIKE)

[MentaL]

[insteadof]

I dont understand .....

[TashiaLurvesYou]

I dont understand .....

Me too , it would be great if he explain or how to add it ;>

[LegalSin(scam)]

create a file named Firewall.sh and put

#Flash IPTABLES
iptables -F

#This rule accepts connection.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#This rule enables local-host connection
iptables -A INPUT -i lo -j ACCEPT

#This rule allows connections to port 29000 if the connection its
#state new which a normal pc would connect and not a spammer or a
#flooder pc.
#duplicate line below if you need more ports open a new port
iptables -A INPUT -m tcp -p tcp -m state --state NEW --dport 29000 -j ACCEPT

#This rule accepts all connections from a host in any port
#you can use this to acces your mysql server or whatever managing site
#you have including ssh connection and ftps
#Replace 0.0.0.0 with your ip to allow SSH connection
iptables -A INPUT -m tcp -p tcp -s 0.0.0.0 -j ACCEPT

#This rule drops all coonection that is not in state new(illegal)
#or not predefined by this firewall including ddos syn flood etc.
iptables -A INPUT -j DROP

Then on your ssh windo do: ./Firewall.sh to enable firewall
to save it on reboot go to /etc/rc.local edit it and add the content of the firewall then reboot it and try to ping your host if it replays with ping time out its working.

if you have any more questions please ask il gladly help.

[tbnanubis]

try to ping your host if it replays with ping time out its working.

Made my day :D

[zdark]

this dont work for DDOS :P

mayble DOS low.

[rbb138]

"Here is a little script i rote to protect the server for all know FLOOD/SPAM/DDOS"

Oh god... thats quite a claim you have made there.

You're forgetting about real DDOS attacks (100s maybe even 1000s of slave machines).
And about dos attacks that fake the source IP (syn floods).

[Ozuru]

You can never be 100% safe... Only way is to have more bandwidth than your attackers.

[LegalSin(scam)]

Any flood/ddos/spam/spuff/rocket/etc connects in other way that a normal client will use to connect to server it doesn't ask for a "state new" connection there for the ip tables will reject them immediately and the sysctl.conf will help improve your security.

You don't need to flame me if you don't find it usefully just ignore my post however if you use it like it.

Basicly no firewall can stop a ddos but however it can be done by a human hand here is an example of a blackhole:

But this dose NOT mean that the script is not good or it don't work.

you can do it like this to:

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

But it dose the same thing as my script and sysctl.conf

whatever you think please don't flame me or my topic i use this and it dose the job good and if you do have a better one or a better securty reason share with us thats why we are on this forum ....Arn't We??

[das7002]

It is a useless script... Server still has to deal with all of the packets no matter what. If they can overwhelm your bandwidth then you solved nothing.

You have good intentions, but you are trying to peddle the illusion of security when you aren't giving any. If you want real ddos protection don't get a server from one of those cheap companies. Amazon, Hivelocity, Softlayer... All big names and aren't cheaper then dirt can protect against ddos before it even gets to your server.

No one is really flaming you... Just pointing out how utterly useless this is...
Posted via Mobile Device

[vixio_dv]

no one can stop DDoS 100% include Cisco Systems, Inc

[Souris]

It isn't useless, but if you think it is you shouldn't be using it anyway because you'd probably end up locking yourself out of your server.

Not all DDOS can use a thousand of bots to max out your bandwith and a proper configuration will effectively stop a dozen of bot from bringing down you web server.

[Fyyre]

You can never be 100% safe... Only way is to have more bandwidth than your attackers.

This is the truth. No script or firewall is saving you from a UDP DDoS attack.