Anillka
Mind Freak
- Joined
- Dec 13, 2008
- Messages
- 424
- Reaction score
- 2
this thread against ddos attacks also Flood attacks ! for damage your root i will expplain how to protect your root and your server against Ddos Attacks and flood !
Note :-
thats For Linux Only ... and some scripts will put to gesior acc !
all you have to do Use SSH Security Shell for doing those commands inside it !
here download link or use the official site !
SSH_Secure_Shell.zip
if you use Blind9 try to update it to 9.3.4 cause blind9 have exploit !
ok let's Start !
go to SSH Security Shell and Do those Commands !
1- update your host.conf and sysctl.conf for making it a strong !
then put on sysctl.conf
for who use Centos 5.x
then this command !
then add to host.conf
then restart httpd !
2-Active Syncookies.
3-then for who want to use Easy Linux Security Program ! (Better if you use it )
do this command for run the program
4- for who use APF + BFD .. i will put with best tools !
Update Script ELS
if it's already updated you will got that
then the best way for Using APF
for run the program in your server !
after you got the program in your server run this !
and be sure you have that codes in your conf.apf
then go to that !
and be sure you already have those codes !
5- thos commands for Firewall ! (Additional information for knowlege!
For run the firewall use !
and for restarting the firewall use !
and for stop the firewall use !
and for knowing the status of firewall !
6- runing the commands into apf for blocking ip's or allow it !
For allowing an ip use that !
Change 124.11.11.11 > for the ip you want
for blocking some one ip use that !
Change 124.11.11.11 > for the ip you want
7- after you done all those for apf ! run this commands for firewall working to block or allow the ip !
8- for who use the program BFD Brute Force Detection (Perfect)
run this command after you put the program in ur server !
and for apply changes and edit !
be sure you have this codes on conf.bdf
and change your email adress ! for when some attack happen you will recieve a message with ip !
Commands for that program !
For run it use !
for allow an ip do that command
and put the ip you want int the file allow_hosts.rules
and for blocking an ip run this command
and put the ip you want to block in ignore.hosts
9-Against DOS-Deflate !
and edit that !
put the number you want thats for the number of connections !
and be sure from that codes !
for know who is connect to your server !
for blocking an ip do !
and put the ip in ignore.ip.list
for run the program after editing do that command !
for unstall the program do that command !
FINAL :-
for know who already attack ur site and who online !
do that command !
EXAMPLE OF IPS :-
Thats mean this ip 85.11.152.165 attack you with ddos !
so block it in the words i saying in every program for commands !
when some one try to attack you you will got message in your email you put :-
IP addresses banned on Wed Mar 13 17:10:07 AST 2010
I ADVICE FOR WHO USE VPS DONT USE CSF ! cause it want much ram and much speed !
in index.php add this ! for your website !
and do another file !
anti_ddos.php
add ips you want to check or block or allow !
white_ip.txt
check.txt
black_ip.txt
all_ip.txt
do those files in your htdocs
do this command for corrupting the files
also check that thread will help !
http://otland.net/f258/anti-ddos-apache-44075/
SSH_Secure_Shell.zip
if you use Blind9 try to update it to 9.3.4 cause blind9 have exploit !
ok let's Start !
go to SSH Security Shell and Do those Commands !
1- update your host.conf and sysctl.conf for making it a strong !
PHP:
cd /etc/
mv sysctl.conf sysctl.conf.css
PHP:
pico sysctl.conf
then put on sysctl.conf
PHP:
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Lower retry rates
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Max File Handlers
fs.file-max = 8192
# Disable CTR+ALT+DEL Restart Keys
kernel.ctrl-alt-del = 1
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
for who use Centos 5.x
PHP:
#Kernel sysctl configuration file for Centos 5.x
# http://www.securecentos.com
# See sysctl(8) and sysctl.conf(5) for more details.
kernel.panic = 60
net.ipv4.ip_forward=0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
kernel.sysrq = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.ip_local_port_range = 16384 65536
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
then this command !
PHP:
/sbin/sysctl -p
PHP:
sysctl -w net.ipv4.route.flush=1
PHP:
cd /etc
mv host.conf host.conf.css
PHP:
pico host.conf
then add to host.conf
PHP:
# Lookup names via DNS first then fall back to /etc/hosts
order hosts,bind
# Check for IP address spoofing.
nospoof on
# multiple IP addresses
multi on
then restart httpd !
PHP:
httpd restart
2-Active Syncookies.
PHP:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
3-then for who want to use Easy Linux Security Program ! (Better if you use it )
do this command for run the program
PHP:
wget --output-document=installer.sh http://servermonkeys.com/projects/els/installer.sh; chmod +x installer.sh; sh installer.sh
Update Script ELS
PHP:
els --update
PHP:
ELS 3.0.0.3 is the latest release, there is no need to update.
for run the program in your server !
PHP:
els --apf
PHP:
pico /etc/apf/conf.apf
PHP:
EGF="1"
USE_DS="1"
USE_AD= 1
PHP:
pico /etc/apf/ad/conf.antidos
PHP:
LP_KLOG="1"
CONAME="Your Company"
USR_ALERT="1"
USR="[email protected]"
5- thos commands for Firewall ! (Additional information for knowlege!
For run the firewall use !
PHP:
/usr/local/sbin/apf -s
PHP:
/usr/local/sbin/apf -r
PHP:
/usr/local/sbin/apf -f
PHP:
/usr/local/sbin/apf -st
6- runing the commands into apf for blocking ip's or allow it !
For allowing an ip use that !
PHP:
/usr/local/sbin/apf -a 124.11.11.11
for blocking some one ip use that !
PHP:
/usr/local/sbin/apf -d 124.11.11.11
7- after you done all those for apf ! run this commands for firewall working to block or allow the ip !
PHP:
/etc/apf/ad/antidos -a
/usr/local/sbin/apf -r
8- for who use the program BFD Brute Force Detection (Perfect)
run this command after you put the program in ur server !
PHP:
els --bfd
PHP:
pico -w /usr/local/bfd/conf.bfd
PHP:
ALERT_USR="1"
[email protected]
Commands for that program !
For run it use !
PHP:
/usr/local/sbin/bfd -s
PHP:
pico -w /etc/bfd/allow_hosts.rules
and for blocking an ip run this command
PHP:
pico -w /usr/local/bfd/ignore.hosts
9-Against DOS-Deflate !
PHP:
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
PHP:
pico /usr/local/ddos/ddos.conf
PHP:
Set NO_OF_CONNECTIONS=150
and be sure from that codes !
PHP:
APF_BAN=1
[email protected]
thats the number of blocking the ip for which seconds !
BAN_PERIOD=600
for know who is connect to your server !
PHP:
cd /usr/local/ddos/;./ddos.sh
sh /usr/local/ddos/ddos.sh
for blocking an ip do !
PHP:
pico /usr/local/ddos/ignore.ip.list
for run the program after editing do that command !
PHP:
/usr/local/ddos/ddos.sh -c
iptables -F
PHP:
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
FINAL :-
for know who already attack ur site and who online !
do that command !
PHP:
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
or
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
EXAMPLE OF IPS :-
PHP:
1 195.229.235.36
1 195.229.235.39
1 195.229.236.214
1 195.229.237.39
1 195.229.242.53
1 195.229.242.55
1 195.229.242.56
1 196.12.217.252
1 196.20.126.97
1 41.200.213.119
1 86.60.97.145
1 89.108.0.85
2 195.229.235.41
2 41.201.175.161
2 41.248.162.42
2 77.30.118.133
2 94.97.78.197
3 84.11.138.148
400 85.11.152.165
Thats mean this ip 85.11.152.165 attack you with ddos !
so block it in the words i saying in every program for commands !
when some one try to attack you you will got message in your email you put :-
IP addresses banned on Wed Mar 13 17:10:07 AST 2010
I ADVICE FOR WHO USE VPS DONT USE CSF ! cause it want much ram and much speed !
in index.php add this ! for your website !
PHP:
$ad_ddos_query=10; // the number of requests for knowing the ddos attack
$ad_check_file='check.txt'; // file for writing at the time of the current state monitoring
$ad_temp_file='all_ip.txt'; //
$ad_black_file='black_ip.txt'; // will be entered ip zombie machines
$ad_white_file='white_ip.txt'; // Visitors entered ip
$ad_dir='anti_ddos'; //
$ad_num_query=0; // current number of queries per second from the file $check_file
$ad_sec_query=0; // Seconds from the file $check_file
$ad_end_defense=0; // Time ending protection from file $check_file
$ad_sec=date("s"); // current second
$ad_date=date("mdHis"); // current time
$ad_defense_time=10000; // Upon discovery of ddos attack, in seconds which stops monitoring?
if(!file_exists("{$ad_dir}/{$ad_check_file}") or !file_exists("{$ad_dir}/{$ad_temp_file}") or !file_exists("{$ad_dir}/{$ad_black_file}") or !file_exists("{$ad_dir}/{$ad_white_file}") or !file_exists("{$ad_dir}/anti_ddos.php")){
die("Not enough File.");
}
require("{$ad_dir}/{$ad_check_file}");
if ($ad_end_defense and $ad_end_defense>$ad_date){
require("{$ad_dir}/anti_ddos.php");
} else {
if($ad_sec==$ad_sec_query){
$ad_num_query++;
} else {
$ad_num_query='1';
}
if ($ad_num_query>=$ad_ddos_query){
$ad_file=fopen("{$ad_dir}/{$ad_check_file}","w");
$ad_end_defense=$ad_date+$ad_defense_time;
$ad_string='<?php $ad_end_defense='.$ad_end_defense.'; ?>';
fputs($ad_file,$ad_string);
fclose($ad_fp);
} else {
$ad_file=fopen("{$ad_dir}/{$ad_check_file}","w");
$ad_string='<?php $ad_num_query='.$ad_num_query.'; $ad_sec_query='.$ad_sec.'; ?>';
fputs($ad_file,$ad_string);
fclose($ad_fp);
}
}
?>
anti_ddos.php
PHP:
<?php
function getIP() {
if(getenv("HTTP_X_FORWARDED_FOR") and preg_match("/^[0-9\.]*?[0-9\.]+$/is",getenv("HTTP_X_FORWARDED_FOR")) and getenv("HTTP_X_FORWARDED_FOR")!='127.0.0.1') {
$ip = getenv("HTTP_X_FORWARDED_FOR");
} else {
$ip = getenv("REMOTE_ADDR");
}
return $ip;
}
$ad_ip=getIP();
$ad_source=file("{$ad_dir}/{$ad_black_file}");
$ad_source=explode(' ',$ad_source[0]);
if (in_array($ad_ip,$ad_source)){die();}
$ad_source=file("{$ad_dir}/{$ad_white_file}");
$ad_source=explode(' ',$ad_source[0]);
if (!in_array($ad_ip,$ad_source)){
$ad_source=file("{$ad_dir}/{$ad_temp_file}");
$ad_source=explode(' ',$ad_source[0]);
if (!in_array($ad_ip,$ad_source)){
$ad_file=fopen("{$ad_dir}/{$ad_temp_file}","a+");
$ad_string=$ad_ip.' ';
fputs($ad_file,"$ad_string");
fclose($ad_fp);
?>
الموقع حاليا يتعرض DDOS attack if you are not machine-zombie attacker's site, click on the button, otherwise you IP (<?=$ad_ip?>) will be blocked!!!
<form method="post">
<input type="submit" name="ad_white_ip" value="Кнопка">
</form>
<?php
die();
}
elseif ($_POST['ad_white_ip']){
$ad_file=fopen("{$ad_dir}/{$ad_white_file}","a+");
$ad_string=$ad_ip.' ';
fputs($ad_file,"$ad_string");
fclose($ad_fp);
}
else {
$ad_file=fopen("{$ad_dir}/{$ad_black_file}","a+");
$ad_string=$ad_ip.' ';
fputs($ad_file,"$ad_string");
fclose($ad_fp);
die();
}
}
?>
white_ip.txt
check.txt
black_ip.txt
all_ip.txt
do those files in your htdocs
do this command for corrupting the files
PHP:
require("anti_ddos/index.php");
http://otland.net/f258/anti-ddos-apache-44075/
Thanks if i helped give me rep !
Last edited: