Block ddos steam Fail2Ban

cmer · **Author**

Hello friends here we will see how to block DDoS attacks on server with steam using fail2ban and iptables

Code:

# Creation channel rejection flood udp 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
iptables -A REJECT_FLOOD28 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28


# Creation channel rejection flood udp 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46

install fail2ban

Code:

apt-get install fail2ban

it creates a filter fail2ban ddos

Code:

nano /etc/fail2ban/filter.d/ddos.conf

Adding

Code:

[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28

it opens the file /etc/fail2ban/jail.conf and we add

Code:

[ddos]
enabled = true
port      = 27015,27025,27050,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000

We restart fail2ban

Code:

/etc/init.d/fail2ban stop
/etc/init.d/fail2ban start

And then during the attack you will find in your fail2ban.log

Code:

2009-10-14 19:11:43,702 fail2ban.actions: WARNING [ddos] Ban 78.22.165.162