Raised This Month: $12 Target: $400
 3% 

Block ddos steam Fail2Ban


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
cmer
Member
Join Date: Apr 2009
Old 10-14-2009 , 14:09   Block ddos steam Fail2Ban
Reply With Quote #1

Hello friends here we will see how to block DDoS attacks on server with steam using fail2ban and iptables

Code:
# Creation channel rejection flood udp 28
iptables -N REJECT_FLOOD28
iptables -A REJECT_FLOOD28 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 28: ' --log-level info
iptables -A REJECT_FLOOD28 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 28 -j REJECT_FLOOD28


# Creation channel rejection flood udp 46
iptables -N REJECT_FLOOD46
iptables -A REJECT_FLOOD46 -j LOG --log-prefix 'IPTABLES-FLOOD LENGTH 46: ' --log-level info
iptables -A REJECT_FLOOD46 -j DROP
#
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
iptables -A INPUT -i eth0 -p udp --dport your_port -m length --length 46 -j REJECT_FLOOD46
install fail2ban

Code:
apt-get install fail2ban
it creates a filter fail2ban ddos

Code:
nano /etc/fail2ban/filter.d/ddos.conf
Adding

Code:
[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
it opens the file /etc/fail2ban/jail.conf and we add

Code:
[ddos]
enabled = true
port      = 27015,27025,27050,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
We restart fail2ban

Code:
/etc/init.d/fail2ban stop
/etc/init.d/fail2ban start
And then during the attack you will find in your fail2ban.log

Code:
2009-10-14 19:11:43,702 fail2ban.actions: WARNING [ddos] Ban 78.22.165.162
__________________



Last edited by cmer; 10-14-2009 at 22:14.
cmer is offline
CatsyLady
Senior Member
Join Date: Oct 2009
Location: Germany
Old 10-14-2009 , 20:40   Re: Block ddos steam Fail2Ban
Reply With Quote #2

this still do not work

we have debian linux, and they still can attack us
CatsyLady is offline
cmer
Member
Join Date: Apr 2009
Old 10-14-2009 , 22:15   Re: Block ddos steam Fail2Ban
Reply With Quote #3

Quote:
Originally Posted by CatsyLady View Post
this still do not work

we have debian linux, and they still can attack us
Show me the rules as you put it
__________________


cmer is offline
CatsyLady
Senior Member
Join Date: Oct 2009
Location: Germany
Old 10-15-2009 , 19:50   Re: Block ddos steam Fail2Ban
Reply With Quote #4

what rules you mean?

i did step by step what you provide
CatsyLady is offline
devicenull
Veteran Member
Join Date: Mar 2004
Location: CT
Old 10-15-2009 , 21:09   Re: Block ddos steam Fail2Ban
Reply With Quote #5

I'd suggest looking at the actual content of the packets, rather then just blindly looking at the size.. should be fairly easy to actually pick out the contents of the packets.
__________________
Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
devicenull is offline
berni
SourceMod Plugin Approver
Join Date: May 2007
Location: Austria
Old 10-16-2009 , 02:47   Re: Block ddos steam Fail2Ban
Reply With Quote #6

Quote:
Originally Posted by devicenull View Post
I'd suggest looking at the actual content of the packets, rather then just blindly looking at the size.. should be fairly easy to actually pick out the contents of the packets.
And then ? What do you do with random bytes

I recommend using 27015:27300 as portrange, the flood blocker works pretty well on my server.
I'm using it with ulogd to log the dos attacks to my mysql database, and a php script to generate a report of all attacks including IPs and an automatic lookup with player this IP belongs to
__________________
Why reinvent the wheel ? Download smlib with over 350 useful functions.

When people ask me "Plz" just because it's shorter than "Please" I feel perfectly justified to answer "No" because it's shorter than "Yes"
powered by Core i7 3770k | 32GB DDR3 1886Mhz | 2x Vertex4 SSD Raid0
berni is offline
biernot80
New Member
Join Date: Oct 2009
Old 10-20-2009 , 17:57   Re: Block ddos steam Fail2Ban
Reply With Quote #7

Doesnt work, on our Server Linux/Deabian
we goes s 23h DDoSed from 24h xD
is installed as the "HowTo" is


what for settings u need to see if all ok?

fail2ban.conf
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 412 $
#

[Definition]

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR.
# Values:  STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communication with the
#         daemon.
# Values: FILE  Default:  /tmp/fail2ban.sock
#
socket = /tmp/fail2ban.sock


jail.conf

Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <[email protected]>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

# Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local

# Default action to take: ban & send an e-mail with whois report
# to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois[name=%(__name__)s, dest=%(destemail)s]

# Default action to take: ban & send an e-mail with whois report 
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
 
# Next jails corresponds to the standard configuration in Fail2ban 0.6
# which was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#

[ssh]

enabled = true
port    = ssh
filter    = sshd
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port    = http
filter    = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6


[apache-noscript]

enabled = true
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled  = true
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 6


[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = true
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/postfix.log


[couriersmtp]

enabled  = true
port     = smtp
filter   = couriersmtp
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log

[ddos]
enabled = true
port      = 27015,27025,27045,27050,27055,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
#action = iptables-multiport[name=ddos, port=27015,27025,27045,27050,27055,28000,29000, protocol=udp]
27015,27025,27045,27050,27055 thats our Counter Strike Source Ports
27015,27045 gets always DDoS

filter.d/ddos.conf
Code:
[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
zBlock works fine, but we can add it.
we have a Zombieserver and zBlock doesnt work with Zombiemod.
it crash always the server.

Last edited by biernot80; 10-20-2009 at 18:19.
biernot80 is offline
devicenull
Veteran Member
Join Date: Mar 2004
Location: CT
Old 10-25-2009 , 20:11   Re: Block ddos steam Fail2Ban
Reply With Quote #8

Quote:
Originally Posted by berni View Post
And then ? What do you do with random bytes

I recommend using 27015:27300 as portrange, the flood blocker works pretty well on my server.
I'm using it with ulogd to log the dos attacks to my mysql database, and a php script to generate a report of all attacks including IPs and an automatic lookup with player this IP belongs to
The tools people are using to do this send out predictable packets. You can detect then either block or log these packets
__________________
Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
devicenull is offline
zeroibis
Veteran Member
Join Date: Jun 2007
Old 10-26-2009 , 01:22   Re: Block ddos steam Fail2Ban
Reply With Quote #9

I assume this is only for linux?
__________________
zeroibis is offline
thetwistedpanda
Good Little Panda
Join Date: Sep 2008
Old 10-26-2009 , 01:26   Re: Block ddos steam Fail2Ban
Reply With Quote #10

zeroibis, a Windows solution may be to block ping requests from being sent to your server (windows firewall perhaps). Might not have the same effect, but it seems to have worked for me.
thetwistedpanda is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:06.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode