[SOLVED] Software for protection.

Thiefy · 09-18-2017, 08:11 AM

Hi, i got a bit of a problem where i'm being DDOS'ed/BruteForced on my website witch sends from thousands different IP addresses empty refers, and empty post/get packages. I wrote a script witch takes access log, counts how many tries that ip address made if its more then 30 in 10 min it black list's the IP but it's just a temporary solution. So My question is, what software i could use to prevent myself from these kinds of attacks?

EDIT: forgot to mention all the connection's don't come directly to the server comes by proxy.

Thanks in advance.
Thiefy

pan64 · 09-18-2017, 08:14 AM

probably fail2ban ?

Thiefy · 09-18-2017, 08:17 AM

Quote:

Originally Posted by pan64

probably fail2ban ?

Can you argument why you would use it? I know there is few of them like mod_security and snort.

Thanks for the reply
Thiefy.

Habitual · 09-18-2017, 12:27 PM

I use fail2ban because I don't know mod_security or snort.

"few of them"?

Just sayin'

justmy2cents · 09-24-2017, 12:41 AM

In addition to fail2ban I would use psad+fwsnort.. Fwsnort integrates with the firewall which makes it harder to exploit than Snort. Psad is like fail2ban but its blocks IPs that port scan your system. You can set thresholds for what kind of portscans you deem worthy of a ban (like noisy scans or extra stealthy scans)

Sefyir · 09-24-2017, 09:03 AM

I don't believe fail2ban would be very helpful in this case.
Fail2ban operates by blocking connections that have had multiple failed connections from a particular ip address. This isn't true during a DDOS.

You'll need to decide to filter with the firewall or the webserver itself. The firewall (iptables) is good for heavy handed stuff but the webserver can generally do more delicate filtering (like checking for referral types)

For iptables, using something like the length limit may be good for empty requests, conntrack may be good for ensuring connections have actually been established. Make sure to log and check these before implementing instead of just dropping them since you will discover mysterious issues.
https://www.frozentux.net/documents/iptables-tutorial/
Conntrack Length match
Make sure to not lock yourself out by having some external method of logging in / automatic disabling of firewall.
How to prevent myself from locking out of iptables

I don't know the webserver you're using, but nginx has some good tools for filtering connections
https://www.cyberciti.biz/tips/linux...-security.html

Code:

## Deny certain Referers ###
     if ( $http_referer ~* (babes|girl) )
     {
         # return 404;
         return 403;
     }
##

Finally, if you're hosting with a provider, contact them. Part of their job is often to handle DDOS attacks on your behalf.

justmy2cents · 09-24-2017, 10:19 AM

He said ddos/brute force so Fail2ban can come into play here, especially as it comes with alot of pre-built filters for apache which will help alot with the overall security. But here are some more suggestions to mitigate DoS attacks, thats from this book im reading: 1) Use an IPS (like snort or fwsnort) which literally monitors for DoS attacks 2) Configure firewalls to block malformed traffic 3) Minimize IP spoofing by filtering out external packets that appear to come from an interal address 4) Block all ICMP traffic inbound to your network unless you need it, and even then it should only be allowed to come in to specific hosts 5) Disable all uneeded TCP/UDP small services such as echo and chargen