Thread: Block ddos steam Fail2Ban
View Single Post
Author Message
cmer
Member
cmer's Avatar
Join Date: Apr 2009
Old 10-14-2009 , 14:09   Block ddos steam Fail2Ban
Reply With Quote #1
Hello friends here we will see how to block DDoS attacks on server with steam using fail2ban and iptables

Code:
# Creation channel rejection flood udp 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
iptables -A REJECT_FLOOD28 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28


# Creation channel rejection flood udp 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
install fail2ban

Code:
apt-get install fail2ban
it creates a filter fail2ban ddos

Code:
nano /etc/fail2ban/filter.d/ddos.conf
Adding

Code:
[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
it opens the file /etc/fail2ban/jail.conf and we add

Code:
[ddos]
enabled = true
port      = 27015,27025,27050,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
We restart fail2ban

Code:
/etc/init.d/fail2ban stop
/etc/init.d/fail2ban start
And then during the attack you will find in your fail2ban.log
Code:
2009-10-14 19:11:43,702 fail2ban.actions: WARNING [ddos] Ban 78.22.165.162
__________________


Last edited by cmer; 10-14-2009 at 22:14.
cmer is offline