AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Off-Topic (https://forums.alliedmods.net/forumdisplay.php?f=15)
-   -   Anti DDos Debian 10 (https://forums.alliedmods.net/showthread.php?t=329863)

Shadypastbrightfuture 01-10-2021 17:29
Anti DDos Debian 10
 
Hello Everyone,

Since past few days, my server is getting DDos attacks. The bandwidth of attacks is more than what my ISP can handle. I am creating some Firewall rules. if anyone can help me with it, i will really appreciate.

If you know some Firewall/Iptables rules, please let me know. If you know some Anti DDos tool which will work, please let me know.

I have a few questions if you can answer it.
1. What are the ports CS1.6 use except 27015(Game port) and 3306(MySQL) ?
2. What should be the recommended rate-limit for udp and tcp protocol ?
3. Does CS 1.6 use ICMP protocol? If yes, what is recommended rate limit? if
4. what could be the rate limit for tcp-syn ?


Below are some of the Iptables rules i have already tried but did not work.

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6000:6100 -j ACCEPT

iptables -A INPUT -p udp --dport 27015 -j ACCEPT
iptables -A INPUT -m string --string "HLBrute" --algo kmp -j DROP
iptables -A INPUT -m string --string "HLXBrute" --algo kmp -j DROP
iptables -A INPUT -p udp --dport 27015 -m u32 --u32 "0x19&0xff=0xfe" -j DROP

OS : Debian 10

redebr2818 01-10-2021 19:28
Re: Anti DDos Debian 10
 
Follow the rules i've been using. Note that I use xtables with geoip to block connections from other countries. (https://imanudin.net/2020/06/28/how-...oip-on-ubuntu/)
I've noticed that my server was receiving valid HL packets from servers from around the world. I think that someone was able to use HL servers to attack another HL servers (Reflected DoS).
Hope it helps.

# Allow Gametracker inbound
-A INPUT -s 208.167.241.187/32 -p udp -j ACCEPT
-A INPUT -s 108.61.78.150/32 -p udp -j ACCEPT
-A INPUT -s 108.61.78.149/32 -p udp -j ACCEPT
-A INPUT -s 149.28.43.230/32 -p udp -j ACCEPT
-A INPUT -s 45.77.96.90/32 -p udp -j ACCEPT

# Accept only brazil IPs
-A INPUT -p udp -m geoip ! --source-country BR -j DROP

# Accept UDP DNS
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT

#Accept SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Block fragmented packets
-A INPUT -f -j DROP

# Accept UDP connections to 27015 with extra steps* This is important
-A INPUT -p udp -m udp --dport 27015 -m multiport --sports 1024:1899,1901:2061,2063:3088,3090:5352,5354: 7129,7131:27014,27016:65535 -m state --state NEW -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name UDPDOSPROTECT --hashlimit-htable-max 999999999 --hashlimit-htable-expire 60000 -m length --length 28:150 -m ttl --ttl-lt 200 -j ACCEPT
# Block no states packets (This is for TCP only)
-A INPUT -m state --state INVALID -j DROP
# Accept already established connections (also TCP only)
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Block anything else
-A INPUT -i eth0 -j DROP

anderpp 01-17-2021 15:17
Re: Anti DDos Debian 10
 
Quote:
Originally Posted by redebr2818 (Post 2732141)
# Accept UDP DNS
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT
I didn't understand this part.
The rule repeat and has an unknown term, DNSIP?

redebr2818 01-17-2021 17:47
Re: Anti DDos Debian 10
 
Quote:
Originally Posted by anderpp (Post 2733001)
I didn't understand this part.
The rule repeat and has an unknown term, DNSIP?
I have 2 recursive DNS Server IPs, that's why. I've noticed many reflected DoS using DNS servers. That's why I allow only my recursive servers.

DJEarthQuake 01-26-2021 16:56
Re: Anti DDos Debian 10
 
FAIL2BAN

acobC1989 02-12-2021 11:10
Re: Anti DDos Debian 10
 
Quote:
Originally Posted by DJEarthQuake (Post 2734391)
FAIL2BAN
In 2021? I think it's a bad idea. Fail2Ban is a processor-intensive app given its limited usefulness. A better alternative to Fail2ban is HeatShield, a sister company of ServerPilot.

DJEarthQuake 03-12-2021 15:27
Re: Anti DDos Debian 10
 
On a cheap VPS it is part of the cost of doing business. Be sure to maintain a good relationship with your provider. On a dedicated line my FAIL2BAN is never past 0.3 CPU on what I consider stone-age hardware and active ddos. Just a single core.

Their homepage mission statement:
Quote:
HeatShield allows you to easily manage all of your servers' firewalls without having to SSH into them again.
Being in root shell will always put admin 1 up on them. This discounts that and misleads innocents otherwise and wants money.

Quote:
Originally Posted by DJEarthQuake (Post 2659235)
Bad idea. Upgrades overwrite jail.conf.:rtfm:


According to this article https://gamebanana.com/threads/128192
cstrike-planet.com disappeared 11 years ago. [counter-strike] has been default in fail2ban years before this thread was written.

I see IP rules threads to offloading module threads while we have had one all along with fail2ban preconfigured. The logpath is out of date and needs to point to /var/log/messages in most instances.

Code:

/etc/fail2ban/jail.conf

[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: <a href="http://www.cstrike-planet.com/faq/6" target="_blank" rel="nofollow noopener">http://www.cstrike-planet.com/faq/6</a>
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
Quote:
Originally Posted by DJEarthQuake (Post 2705641)
Fail2ban helps. Malformed packets can be tagged for later control.

server.cfg
Default hlds settings.
//max_queries_sec : 3
//max_queries_sec_global : 30
//max_queries_window : 60

More sensitive
max_queries_sec 2
max_queries_sec_global 15
max_queries_window 30

Easy test.
Refresh server a bunch of times one will see "...was blocked for exceeding rate limits"


/etc/fail2ban/filter.d/gearbox.conf
Code:
# Fail2Ban filter for ddos for GoldSrc
#
#

[Definition]

failregex = : Traffic from <HOST>:(\d{1,5}) was blocked for exceeding rate limits

ignoreregex =

[Init]

datepattern = %%m/%%d/%%Y - %%H:%%M:%%S

# Author: SPiNX March 2020

jail.local
Code:
[hlds-ddos]
enabled = true
maxretry = 50
findtime  = 100
bantime = 900
logpath = /var/log/messages
tcpport = 27005,27015,27016,27017,27018,27019,27020.27030
udpport = 27005,27015,27016,27017,27018,27019,27020,27030
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
          %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

[gearbox]
enabled = true
maxretry = 2
bantime = 1800
findtime  = 10
logpath = /home/TUT/Steam/steamapps/common/Half-Life/cstrike/qconsole.log
                  /home/TUT/Steam/steamapps/common/Half-Life/dod/qconsole.log
                  /home/TUT/Steam/steamapps/common/Half-Life/gearbox/qconsole.log

banaction = %(banaction_allports)s
Be sure to pay attention to or rotate qconsole.log it gets big fast.
https://developer.valvesoftware.com/...d_Line_Options
-condebug - Stores console output to "Half-Life\qconsole.log".

fail2ban-client status
Code:
Status
|- Number of jail:        6
`- Jail list:        gearbox, hlds-ddos, nginx-botsearch, nginx-http-auth, nginx-limit-req, sshd
Nobody even bothers anymore. Earlier this year it was very active banning bad guys.

fail2ban-client status hlds-ddos
Code:
Status for the jail: hlds-ddos
|- Filter
|  |- Currently failed:        3
|  |- Total failed:        18841
|  `- File list:        /var/log/messages
`- Actions
  |- Currently banned:        0
  |- Total banned:        0
  `- Banned IP list:


|- Currently banned: 95
|- Total banned: 1431


All times are GMT -4. The time now is 11:21.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.