Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello folks, as the headline says I have lately been attacked several times, where my homepage has been literally freezed, because of the massive attack on port 80.
My problem is, as I said, that I really need protection against this, I have searched all over the web and tryed hundreds of solutions.. None of them helped.
Not even syncooking which was recommended by another linuxforum helped at all..
If there's anyone who just have a CLUE about what I could do, tell me :-)
Hello folks, as the headline says I have lately been attacked several times, where my homepage has been literally freezed, because of the massive attack on port 80.
My problem is, as I said, that I really need protection against this, I have searched all over the web and tryed hundreds of solutions.. None of them helped.
Not even syncooking which was recommended by another linuxforum helped at all..
If there's anyone who just have a CLUE about what I could do, tell me :-)
You can change the number of times your machine will re-try the SYN/ACK.
Also make sure you setup iptables firewall rules that will drop everything except port 80. There are also parameters you can set to minimize the amounts of tcp sessions per host - that cuts down on connection problems.
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705
Rep:
Quote:
Originally Posted by arkaan
Hello folks, as the headline says I have lately been attacked several times, where my homepage has been literally freezed, because of the massive attack on port 80.
My problem is, as I said, that I really need protection against this, I have searched all over the web and tryed hundreds of solutions.. None of them helped.
Not even syncooking which was recommended by another linuxforum helped at all..
If there's anyone who just have a CLUE about what I could do, tell me :-)
Install a router or other hardware firewall between your box and the network. They're not expensive.
arkaan.. what's your site about? if you have a torrent tracker or something like that, then my friend i belive you're dealing with the same ddos i am. try to install snort and run "snort -i eth0 -vde" (or maybe eth1) and if you see any stuff like $MyNick bla bla bla then my friend.. you have a problem
this kind of attack is done using users on Direct Connect hubs as bots, just imagine controlling users on 30 hubs (1000-15000 users on every hub) and foring them to connect to a $host and $port
You need to setup iptables firewall rules that limit the amount of connections per host. That way one host can only connect certain number of times. However, if you have a DDNS (Distributed Denial of Service) attack then it will be trickier.
Another thing you can do is create a script that monitors how many times an IP address tries to connect to your system; if it tries to connect more than 20 times per every 5 seconds then add it to the hosts.deny file. Make sure you monitor everything.
In addition to the wonderful info that's already been given, you can recompile your kernel to reduce the "half-open" state timeout and "max connections from ip". I don't know the exact technical terms here, but I know it can be done...and it would help to an extent.
Whilst the suggestions given do help a bit, it sounds like you are suffering from a distributed denial of service attack.
The best recourse is the ISP, generally these attacks are blocked upstream on the main routers.
Sometimes this can affect a number of networks so it tends to be taken fairly seriously and don't be surprised if law enforcement is brought in by one of the parties.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.