AlliedModders - Block ddos steam Fail2Ban

AlliedModders (https://forums.alliedmods.net/index.php)

- Snippets and Tutorials (https://forums.alliedmods.net/forumdisplay.php?f=112)

- - Block ddos steam Fail2Ban (https://forums.alliedmods.net/showthread.php?t=106378)

Block ddos steam Fail2Ban

Hello friends here we will see how to block DDoS attacks on server with steam using fail2ban and iptables

Code:

# Creation channel rejection flood udp 28

iptables -N REJECT_FLOOD28

iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info

iptables -A REJECT_FLOOD28 -j DROP

#

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28





# Creation channel rejection flood udp 46

iptables -N REJECT_FLOOD46

iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info

iptables -A REJECT_FLOOD46 -j DROP

#

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46

iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46

install fail2ban

Code:

apt-get install fail2ban

it creates a filter fail2ban ddos

Code:

nano /etc/fail2ban/filter.d/ddos.conf

Adding

Code:

[Definition]



failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28

it opens the file /etc/fail2ban/jail.conf and we add

Code:

[ddos]

enabled = true

port      = 27015,27025,27050,28000,29000

protocol = udp

filter = ddos

logpath = /var/log/messages.log

maxretry = 3

bantime = 6000

We restart fail2ban

Code:

/etc/init.d/fail2ban stop

/etc/init.d/fail2ban start

And then during the attack you will find in your fail2ban.log

Code:

2009-10-14 19:11:43,702 fail2ban.actions: WARNING [ddos] Ban 78.22.165.162

Re: Block ddos steam Fail2Ban

this still do not work

we have debian linux, and they still can attack us

Re: Block ddos steam Fail2Ban

Quote:

Originally Posted by CatsyLady (Post 962234)

this still do not work

we have debian linux, and they still can attack us

Show me the rules as you put it :)

Re: Block ddos steam Fail2Ban

what rules you mean?

i did step by step what you provide

Re: Block ddos steam Fail2Ban

I'd suggest looking at the actual content of the packets, rather then just blindly looking at the size.. should be fairly easy to actually pick out the contents of the packets.

Re: Block ddos steam Fail2Ban

Quote:

Originally Posted by devicenull (Post 963364)

I'd suggest looking at the actual content of the packets, rather then just blindly looking at the size.. should be fairly easy to actually pick out the contents of the packets.

And then ? What do you do with random bytes :wink:

I recommend using 27015:27300 as portrange, the flood blocker works pretty well on my server.
I'm using it with ulogd to log the dos attacks to my mysql database, and a php script to generate a report of all attacks including IPs and an automatic lookup with player this IP belongs to :)

Re: Block ddos steam Fail2Ban

Doesnt work, on our Server Linux/Deabian
we goes s 23h DDoSed from 24h xD
is installed as the "HowTo" is

what for settings u need to see if all ok?

fail2ban.conf

Code:

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

#

# $Revision: 412 $

#



[Definition]



# Option:  loglevel

# Notes.:  Set the log level output.

#          1 = ERROR

#          2 = WARN

#          3 = INFO

#          4 = DEBUG

# Values:  NUM  Default:  3

#

loglevel = 3



# Option:  logtarget

# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR.

# Values:  STDERR SYSLOG file  Default:  /var/log/fail2ban.log

#

logtarget = /var/log/fail2ban.log



# Option: socket

# Notes.: Set the socket file. This is used to communication with the

#         daemon.

# Values: FILE  Default:  /tmp/fail2ban.sock

#

socket = /tmp/fail2ban.sock

jail.conf

Code:

# Fail2Ban configuration file.

#

# This file was composed for Debian systems from the original one

#  provided now under /usr/share/doc/fail2ban/examples/jail.conf

#  for additional examples.

#

# To avoid merges during upgrades DO NOT MODIFY THIS FILE

# and rather provide your changes in /etc/fail2ban/jail.local

#

# Author: Yaroslav O. Halchenko <[email protected]>

#

# $Revision: 281 $

#



# The DEFAULT allows a global definition of the options. They can be override

# in each jail afterwards.



[DEFAULT]



# "ignoreip" can be an IP address, a CIDR mask or a DNS host

ignoreip = 127.0.0.1

bantime  = 600

maxretry = 3



# "backend" specifies the backend used to get files modification. Available

# options are "gamin", "polling" and "auto".

# yoh: For some reason Debian shipped python-gamin didn't work as expected

#      This issue left ToDo, so polling is default backend for now

backend = polling



#

# Destination email address used solely for the interpolations in

# jail.{conf,local} configuration files.

destemail = root@localhost



# Default action to take: ban only

action = iptables[name=%(__name__)s, port=%(port)s]



# Following actions can be chosen as an alternatives to the above action.

# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines

# into jail.local



# Default action to take: ban & send an e-mail with whois report

# to the destemail.

# action = iptables[name=%(__name__)s, port=%(port)s]

#          mail-whois[name=%(__name__)s, dest=%(destemail)s]



# Default action to take: ban & send an e-mail with whois report 

# and relevant log lines to the destemail.

# action = iptables[name=%(__name__)s, port=%(port)s]

#          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]

 

# Next jails corresponds to the standard configuration in Fail2ban 0.6

# which was shipped in Debian. Please enable any defined here jail by including

#

# [SECTION_NAME]

# enabled = true

#

# in /etc/fail2ban/jail.local.

#



[ssh]



enabled = true

port    = ssh

filter    = sshd

logpath  = /var/log/auth.log

maxretry = 6



#

# HTTP servers

#



[apache]



enabled = true

port    = http

filter    = apache-auth

logpath = /var/log/apache*/*access.log

maxretry = 6





[apache-noscript]



enabled = true

port    = http

filter  = apache-noscript

logpath = /var/log/apache*/*error.log

maxretry = 6



#

# FTP servers

#



[vsftpd]



enabled  = true

port     = ftp

filter   = vsftpd

logpath  = /var/log/auth.log

maxretry = 6





[proftpd]



enabled  = true

port     = ftp

filter   = proftpd

logpath  = /var/log/proftpd/proftpd.log

maxretry = 6





[wuftpd]



enabled  = true

port     = ftp

filter   = wuftpd

logpath  = /var/log/auth.log

maxretry = 6





#

# Mail servers

#



[postfix]



enabled  = true

port     = smtp

filter   = postfix

logpath  = /var/log/postfix.log





[couriersmtp]



enabled  = true

port     = smtp

filter   = couriersmtp

logpath  = /var/log/mail.log





[sasl]



enabled  = true

port     = smtp

filter   = sasl

logpath  = /var/log/mail.log



[ddos]

enabled = true

port      = 27015,27025,27045,27050,27055,28000,29000

protocol = udp

filter = ddos

logpath = /var/log/messages.log

maxretry = 3

bantime = 6000

#action = iptables-multiport[name=ddos, port=27015,27025,27045,27050,27055,28000,29000, protocol=udp]

27015,27025,27045,27050,27055 thats our Counter Strike Source Ports
27015,27045 gets always DDoS

filter.d/ddos.conf

Code:

[Definition]



failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28

zBlock works fine, but we can add it.
we have a Zombieserver and zBlock doesnt work with Zombiemod.
it crash always the server.

Re: Block ddos steam Fail2Ban

Quote:

Originally Posted by berni (Post 963539)

The tools people are using to do this send out predictable packets. You can detect then either block or log these packets

Re: Block ddos steam Fail2Ban

I assume this is only for linux?

Re: Block ddos steam Fail2Ban

zeroibis, a Windows solution may be to block ping requests from being sent to your server (windows firewall perhaps). Might not have the same effect, but it seems to have worked for me.