Linux Some protecion against DDOS

Pietia · Feb 12, 2009

Firstly i want to say that i was in latest time a bit attacked by ddos attackers (probably script kiddies ) and i have find some exit with that situation and now i want to share it with u guys .!
OK LETS GO !

Code:

#!/bin/sh

   #1. chkconfig: 3 21 91
   #2. description: Firewall



IPT=/sbin/iptables

case "$1" in
start)
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 3785 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 465 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 7172 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 7171 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 3783 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 3784 -j ACCEPT #ventrilo port
$IPT -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 21 --source changethisforyourip -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source changethisforyourip -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.p19.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source proxy.rbx.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source ping.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p icmp --source uripfromovh.250 -j ACCEPT # IP = aaa.bbb.ccc
$IPT -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 79 -j ACCEPT
$IPT -A INPUT -i eth0 -j DROP

exit 0
;;

stop)
$IPT -F INPUT
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac
~
~

changethisforyourip = change for your ip but only if ur ip isn't changing into other ...
this is almost sample configuration of iptables in tutorial of ovh i just some edited it to fit better here<>
and edit it by yourself if u want add for example port of another otserv which is on 7173 and 7174 add this

Code:

$IPT -A INPUT -i eth0 -p tcp --dport 7173-j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 7174-j ACCEPT

after

Code:

$IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT

u have to be root to make changes everywhere here
insert this script into /etc/init.d/ name this script firewall
give this script chmod 700

Code:

chmod 700 firewall

to start firewall u have to do

Code:

/etc/init.d/firewall start

if u want to start this script at start of the system WARNING first test with

Code:

/etc/init.d/firewall start

to see if it will be working because in other way u can block ur server !
then ubuntu/debian users do

Code:

update-rc.d firewall defaults 90

other distros of linux

Code:

chkconfig --level 3 firewall on

installed everything that u have just wrote and i'm still attacked ...
ok let's try to drop ddosers

Code:

netstat -plan | grep : | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

it's checking which ips and how much count of them are connected to ur server
if for example is something like that

Code:

ks201247:~# netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
      1 0.0.0.0
      100 88.156.28.45

this mean that the ip 88.156.28.45 have 100 connections to ur server which isn't normal.
if u want to drop him from your server then do (droping is something like not allowing him to do any action to ur internet like see web or play tibia)

Code:

iptables -A INPUT -s  88.156.28.45 -j DROP

go to ur /home directory of normal user and create a file name this file attack.sh and insert there this script

Code:

#!/bin/sh
#Block DFind
for ip in `netstat -tanpu |grep FIN_WAIT | awk '{print $5}' | cut -d ':' -f1 | sort | uniq` ; do
countoff=$[$countoff+1]
countwoot=$[$countwoot+1]
iptables -I INPUT -s $ip -j DROP
done

and give this script chmod

Code:

chmod +x attack.sh

when ur server is under ddos inbound =100 mb for example
run this script by command

Code:

sh attack.sh

and see if the ddos ips are banished by type

Code:

iptables -L

However this script isn't the best and can drop normal players also so i don't recommending u this way to drop script kiddies ...

kret · Feb 12, 2009

Nice

) rep++

Gesior.pl · Feb 12, 2009

my firewall.sh (start with system):

PHP:

#!/bin/sh
iptables -F
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 120 --hitcount 20 -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m length --length 128:0xffff -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 20/minute -j ACCEPT

averatec · Feb 12, 2009

#up it's mine

I give you this script *.sh

Don Daniello · Feb 12, 2009

Good job, make it easier to read and maybe quote this:

installed everything that u have just wrote and i'm still attacked ...

Keraxel · Feb 12, 2009

DDoS attacks are realy hard to fight because there's too much packets to prevent. Good DDoS can hang up even secured server :/

Pietia · Feb 12, 2009

Keraxel said:
DDoS attacks are realy hard to fight because there's too much packets to prevent. Good DDoS can hang up even secured server :/

better be securited than non-securited right ?

Artii · Feb 12, 2009

Thanks for sharing, will use later.

KaczooH · Feb 13, 2009

I think that catching the IPs and sending them to abuse@ovh is vital. The attacker will be in danger as DDoS attacks ARE actually criminal offence so OVH may take him to the cort and they will block him from the ovh network for sure

Hoping you manage to cope with it,
KaczooH

Keraxel · Feb 13, 2009

Pietia said:
better be securited then non-securited right ?

Sure

kornholi · Feb 15, 2009

$IPT -A INPUT -i eth0 -p tcp --dport 21 --source twojetajneip -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source cache.ovh.net -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --dport 22 --source twojetajneip -j ACCEPT

not everyone speaks polish ;s

Pietia · Feb 15, 2009

Kornholijo said:
not everyone speaks polish ;s

oh srry didn't edited it xd i'll do it now.

gunz · Feb 23, 2009

This script is shit, sorry ;s

Pietia · Feb 23, 2009

gunz said:
This script is shit, sorry ;s

xde write here better lol ? so i will add it and it will be better :>

trans · Feb 25, 2009

iptables v1.4.2: Unknown arg `(null)'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.2: Unknown arg `(null)'
Try `iptables -h' or 'iptables --help' for more information.

whats wrong?

Sizaro · Feb 25, 2009

It's very good to have.. I guess..

Since i don't understand a shit about this xD it's nothing for me ;p

loleslav · Mar 6, 2009

Thank you it's very useful/Dziękuję bardzo użyteczne

bandita315 · Mar 7, 2009

nice

Zonet · Mar 8, 2009

What about telling use some protection against ddos for windows

klekSu · Mar 9, 2009

#!/bin/sh
#Block DFind
for ip in `netstat -tanpu |grep FIN_WAIT | awk '{print $5}' | cut -d ':' -f1 | sort | uniq` ; do
countoff=$[$countoff+1]
countwoot=$[$countwoot+1]
iptables -I INPUT -s $ip -j DROP
done

Ok, but what if it's banishing my players hehe

any idea how to fix this not to ban normal players?

Linux Some protecion against DDOS

Active Member

K R E T O W N A G E

Mega Noob&LOL 2012

Advanced OT User

/root

Ω Obfuscator Ω

Active Member

Seldora.net

Co tu wpisac?

Ω Obfuscator Ω

Administrator

Active Member

GunzOT Owner

Active Member

New Member

Advanced OT User

Banned User

New Member

Web Developer

Stroke my ego.