• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux Some protecion against DDOS

kleksu said:
Ok, but what if it's banishing my players hehe :p any idea how to fix this not to ban normal players?
Click to expand...

no idea maybe some pro know ;]
but propably u can't for me it was too banishing players.
but not much u can unban them fast if u know that they are not ddosing.;p
 
How do i unban then?

'iptables -I INPUT -s $ip -j ACCEPT' in the console?
 
kleksu said:
How do i unban then?

'iptables -I INPUT -s $ip -j ACCEPT' in the console?
Click to expand...

btw when u use it ur attack has been stopped ?
edit : i mean the script when u use it .;p
 
Last edited:
Ok, i've been attacking for few days and been reading lots of tutorials. So here's my advice based on the tutorials.

Use this comand to find out the IP which has alot connections.
For WWW.
Code: 
netstat -apn|grep :80 |awk '{print $5}'|sort
For OTS.
Code: 
netstat -apn|grep :7171 |awk '{print $5}'|sort

If there's any please block it with this command.
Code: 
iptables -A INPUT -s IP -j DROP

Now let's try to fight with DoS attacks.
Install the apf, a firewall.
Code: 
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Code: 
tar -xvzf apf-current.tar.gz
Code: 
cd apf-*
Code: 
./install.sh

Configure - common ingress (inbound) TCP.
Code: 
IG_TCP_CPORTS="22,80,7171"
22 SSH
80 WWW
7171 OTS

Start it by.
Code: 
/etc/init.d/apf start

Now we will install DDoS Deflate with apf.
Description:
When you run this Perl script, it will then run an netstat command check how many times each IP is connected and if there are more then the number of connections you specified then it will automatically run a command in APF for the IP to be banned.
Click to expand...
Code: 
wget http://www.inetbase.com/scripts/ddos/install.sh
Code: 
chmod 0700 install.sh
Code: 
/install.sh

That's it. Would be nice if i get some reputation from you, thanks.
 
Last edited:
kleksu said:
Ok, i've been attacking for few days and been reading lots of tutorials. So here's my advice based on the tutorials.

Use this comand to find out the IP which has alot connections.
For WWW.
Code: 
netstat -apn|grep :80 |awk '{print $5}'|sort
For OTS.
Code: 
netstat -apn|grep :7171 |awk '{print $5}'|sort

If there's any please block it with this command.
Code: 
iptables -A INPUT -s IP -j DROP

Now let's try to fight with DoS attacks.
Install the apf, a firewall.
Code: 
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
Code: 
tar -xvzf apf-current.tar.gz
Code: 
cd apf-*
Code: 
./install.sh

Configure - common ingress (inbound) TCP.
Code: 
IG_TCP_CPORTS="22,80,7171"
22 SSH
80 WWW
7171 OTS

Start it by.
Code: 
/etc/init.d/apf start

Now we will install DDoS Deflate with apf.

Code: 
wget http://www.inetbase.com/scripts/ddos/install.sh
Code: 
chmod 0700 install.sh
Code: 
/install.sh

That's it. Would be nice if i get some reputation from you, thanks.
Click to expand...
UDP flood can attack every type of port not only that u have just say.
for example it can attack port 77 which isn't exist in ur system.
but great alot if i get ddos I will use the script for sure and check the results.
 
@kleksu
Use this comand to find out the IP which has alot connections.
Click to expand...
Someone sent me few months ago better code, I dont know his nick on forum.
For WWW:
Code: 
netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
For OTS:
Code: 
netstat -plan | grep :7171 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
To count all connections from 1 IP:
Code: 
netstat -plan | grep : | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
 
Last edited:
Gesior.pl said:
@kleksu

Someone sent me few months ago better code.
For WWW:
Code: 
netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
For OTS:
Code: 
netstat -plan | grep :7171 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
To count all connections from 1 IP:
Code: 
netstat -plan | grep : | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
Click to expand...

what this meaning for www ?
Code: 
ks201247:~# netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
      1 0.0.0.0
      1 88.156.28.45
      3 83.28.175.156
      6 83.7.42.195
      8 82.16.82.97
that some1 have opened 8 paged from this ip ?
8 82.16.82.97
 
Pietia said:
what this meaning for www ?
Code: 
ks201247:~# netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1
      1 0.0.0.0
      1 88.156.28.45
      3 83.28.175.156
      6 83.7.42.195
      8 82.16.82.97
that some1 have opened 8 paged from this ip ?
8 82.16.82.97
Click to expand...
yes
 
On my server im using:
-This "some protection against Ddos" :p
-Firewall
-Auto ban Ip that is sending too many packets
-Snort (Cool program, a lot of features)
-Special apache mods
 
Pietia said:
$IPT -A INPUT -i eth0 -p tcp --source 192.168.0.0/16 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --source 192.168.0.0/16 -j ACCEPT
Click to expand...
Why u accepting class C ? This lines is not required...



My Iptables configuration
Code: 
#!/bin/sh

# Dulin Firewall v0.1a

# Konfiguracja:
# sciezka iptables
ipt=`/usr/bin/whereis iptables | awk '{print $2}'`

# konfigurjemy jajko
conf_kernel() {
        # ochrona przed atakiem typu Smurf
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        # nie akceptujemy pakietow "source route" (zmieniaja tablice routingu)
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
        # nie przyjmujemy pakietow ICMP redirect, ktore moga zmienic nasza tablice routingu
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        # wlaczamy ochrone przed blednymi pakietami ICMP error
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        # ochrona przed spoofingiem -kazdy interfejs sieciowy bedzie przyjmowal
        # tylko te pakiety ktore znajduja sie w tablicy routingu
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
        # wlacza logowanie dziwnych (spoofed, source routed, redirects) pakietow
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
        # ignorujemy calkowicie icmp
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
}

# dekonfigurujemy
deconf_kernel() {
        echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
        echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
        echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
        echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
        echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
        echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
}
clean_rules() {
        $ipt -F
        $ipt -X
        $ipt -t nat -F
        $ipt -t nat -X
        $ipt -P FORWARD ACCEPT
        $ipt -P INPUT ACCEPT
        $ipt -P OUTPUT ACCEPT
}

start_rules() {
        # Co blokujemy a czego nie blokujemy ...
        $ipt -P INPUT DROP
        $ipt -P FORWARD DROP
        $ipt -P OUTPUT ACCEPT

        # Blokowanie polaczen NEW z flaga inna niz syn
        $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
        $ipt -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

        # Odrzucanie pakietow pofragmentowanych
        $ipt -A INPUT -f -j DROP
        $ipt -A FORWARD -f -j DROP

        # Odrzucanie polaczen w stanie INVALID
        $ipt -A INPUT -m state --state INVALID -j DROP
        $ipt -A FORWARD -m state --state INVALID -j DROP

        # Zezwolenie na transfer na loopback'u WAZNE !!!
        $ipt -A INPUT -i lo -j ACCEPT

        # Polaczenia nawiazane
        $ipt -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED,RELATED
        $ipt -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED

        # Atrakcje
        # wykrywanie skanowania NULL
        $ipt -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_NULL: "
        $ipt -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
        # wszystkie pakiety uznane za NEW bez flagi SYN sa podejrzane
        $ipt -N skany
        $ipt -A INPUT -p tcp ! --syn -m state --state NEW -j skany
        $ipt -A skany -p tcp --tcp-flags ALL RST -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_INVERSE: "
        $ipt -A skany -p tcp --tcp-flags ALL RST -j DROP
        $ipt -A skany -p tcp --tcp-flags ALL ACK -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_TCP_PING: "
        $ipt -A skany -p tcp --tcp-flags ALL ACK -j DROP
        $ipt -A skany -p tcp --tcp-flags ALL FIN -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_FIN: "
        $ipt -A skany -p tcp --tcp-flags ALL FIN -j DROP
        $ipt -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_XMAS-NMAP: "
        $ipt -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
        $ipt -A skany -p tcp -m limit --limit 10/s --limit-burst 4 -j LOG --log-level debug --log-prefix "firewall: SKAN_INNE: "
        $ipt -A skany -j DROP

        # pakiety z nieporzadanych adresow
        $ipt -A INPUT -s 91.121.29.198 -j DROP # atak Land
        $ipt -A INPUT -s 87.98.235.232 -j DROP # atak Land
        $ipt -A INPUT -s 10.0.0.0/8 -j DROP # klasa A
        $ipt -A INPUT -s 172.16.0.0/12 -j DROP # klasa B
        $ipt -A INPUT -s 192.168.0.0/16 -j DROP # klasa C
        $ipt -A INPUT -s 224.0.0.0/4 -j DROP # multicast
        $ipt -A INPUT -d 224.0.0.0/4 -j DROP # multicast
        $ipt -A INPUT -s 240.0.0.0/5 -j DROP # reserved
        #$ipt -A INPUT -s 77.46.13.108 -j DROP
        # Teraz co puszczamy :)
        # ICMP (Tylko lokalnie dla mtr)
        $ipt -A INPUT -p icmp -m limit --limit 15/s -j ACCEPT
        # ssh
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 65512 -j ACCEPT
        # ftp ( tylko ja uzywam ...)
        # 89.174.253.1 - Serwer wodzislaw (w razie czego...)
        $ipt -A INPUT -p tcp -s 89.174.253.1 -d 91.121.29.198 --dport 21 -j ACCEPT
        # 89.174.253.39 - Moj komputer
        $ipt -A INPUT -p tcp -s 89.174.253.39 -d 91.121.29.198 --dport 21 -j ACCEPT
        # dns
        $ipt -A INPUT -p udp --dport 53 -j ACCEPT
        # http
        $ipt -A INPUT -p tcp --dport 80 -j ACCEPT
        # smtp pop3 imap
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 25 -j ACCEPT
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 110 -j ACCEPT
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 143 -j ACCEPT
        # Scierwa...
        # Ventrilo
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 3784 -j ACCEPT
        # Tibia ( Otserv )
        $ipt -A INPUT -p tcp --dport 7171 -j ACCEPT
        # Team Speak
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 14534 -j ACCEPT
        $ipt -A INPUT -p udp -d 91.121.29.198 --dport 8767 -j ACCEPT
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 51234 -j ACCEPT
        # Przekierowanie opentibia
        # OTS
        $ipt -A INPUT -p tcp -d 87.98.235.232 --dport 9001 -j ACCEPT
        $ipt -t nat -A PREROUTING -p tcp -d 87.98.235.232 --dport 7171 -j DNAT --to-destination 87.98.235.232:9001
        # Underland
        $ipt -A INPUT -p tcp -d 91.121.29.198 --dport 9002 -j ACCEPT
        $ipt -t nat -A PREROUTING -p tcp -d 91.121.29.198 --dport 7171 -j DNAT --to-destination 91.121.29.198:9002

}

case $1 in
        start)
                echo "Dulin Firewall: Ladowanie ..."
                conf_kernel
                clean_rules
                start_rules
                echo "Dulin Firewall: Zaladowano."
                exit 1
        ;;
        stop)
                echo "Dulin Firewall: Zatrzymywanie ..."
                deconf_kernel
                clean_rules
                echo "Dulin Firewall: Zatrzymano."
        ;;
        *)
 
Last edited:
u have to change secret ip to ur ip or if u have dynamic just delete this rules which are neccesary to connect by ur "secret ip"
 
Back
Top