Hardening SRCDS with iptables rules
A lot of people have been asking about how to protect a Linux server against denial of service (DoS) attacks lately. The vast majority of these attacks involve one individual using a scripted program to execute an attack on a single server target. The goal of using iptables here is to handle networking traffic before it reaches srcds where it could cause undesired latency for players. Also, keep in mind that these iptables rules will do nothing in the face of a large-scale sustained DDoS attacks. With that in mind, effectively iptables rules will mitigate script kiddies' DoS, small-scale DDoS, and even larger pulsed DDoS attacks.
Before you begin changing the iptables rules, unless you have physical access to the server you should consider scheduling a periodic iptables rules flush in case a change causes the system to lock everyone out. To do this, make a shell script with the proper permissions and put the following inside it: Code:
iptables -F The first measure of protection is to develop a white-list of IP addresses that have your permission to access rcon; otherwise, it's best to completely hide rcon from the outside world. Code:
iptables -A INPUT -p tcp --destination-port 27015 -j LOG --log-prefix "SRCDS-RCON " -m limit --limit 1/m --limit-burst 1 Code:
iptables -A INPUT -p udp --destination-port 27015 -m length --length 0:32 -j LOG --log-prefix "SRCDS-XSQUERY " --log-ip-options -m limit --limit 1/m --limit-burst 1 Maximum Size = (`net_maxroutable`) + (`net_splitrate`) * (`net_maxfragments`) which gives 2520 bytes under the default configuration. Code:
iptables -A INPUT -p udp --destination-port 27015 -m length --length 2521:65535 -j LOG --log-prefix "SRCDS-XLFRAG " --log-ip-options -m limit --limit 1/m --limit-burst 1 Code:
-m hashlimit --hashlimit-mode dstport,dstip --hashlimit-name StopFlood --hashlimit 330/s --hashlimit-burst 66 After this we'll accept all 'established' UDP connections. Since UDP is a stateless protocol, 'established' is a bit of a misnomer. In this sense, established means that there has been communication in both directions from the same source port to the same destination port and a timeout value has not been reached. Code:
iptables -A INPUT -p udp -m state --state ESTABLISH -j ACCEPT 1) You run multiple game servers on different ports but same IP For this you'd want to make the hash-limit come from the source IP and go to the destination port (srcip,dstport). Code:
iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip,dstport --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT For this it's easier just to specify the source IP for the hash (srcip). Code:
iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT Code:
iptables -A INPUT -p udp -j LOG --log-prefix "UDP-SPAM " --log-ip-options -m limit --limit 1/m --limit-burst 1 There are other iptables firewalls posted that use packet inspection to deny a few of these scripted DoS attacks. Generally, if it's easily detected by a simpler iptables rule, then use that instead. Also, there are quite a few SourceMM or SM extensions that attempt to deal with this issue as well: DAF, Query Cache, et. al. It's best to avoid letting srcds or any related plugins or extensions deal with these problems. But, other than resource consumption, there's no harm in using both approaches. Other Considerations: If you're default policy on the INPUT chain is to accept traffic, consider changing it to drop. If you do so, remember to make allowances for already established tcp connections. If your net_splitrate is 0 and you won't fragment packets, consider disabling fragmentation completely for srcds traffic. If you receive attacks from shady foreign countries such as Burma or North Korea, consider black-listing these entire countries. |
Re: Hardening SRCDS with iptables rules
Nice guide, I'm using these rules for a long time now and nobody bothered me with DoS attacks since.
It does however require a dedicated server with root access and it won't protect you against DDoS attacks (then again, what will?). |
Re: Hardening SRCDS with iptables rules
Can I apply these rules to hlds - for example the packet length 0 to 32
|
Re: Hardening SRCDS with iptables rules
Quote:
|
Re: Hardening SRCDS with iptables rules
For Windows 7 ? anti flooding ?
|
Re: Hardening SRCDS with iptables rules
No
|
Re: Hardening SRCDS with iptables rules
Hmm,
I found some more additional rules that reduce resource usage during a DDOS attack, but it is not iptables related. Protocol Related: TCP File related: /etc/sysctl.conf To see your current setting, use command: sysctl -a | grep ipv4 | grep syn Here is the setting I use on my server: Quote:
Originally both retries settings are 3, change them to 1 can reduce your server and network load during DDOS attack. Use command "sysctl -p" to apply new settings. Please do this if you want and you know what you are doing. I am posting this as a suggestion, or discussion. I will not responsible for any cause by using what I said above. |
Re: Hardening SRCDS with iptables rules
Quote:
-x00 |
Re: Hardening SRCDS with iptables rules
Hey when I try to enter iptables -A INPUT -p udp -m state --state NEW -m hashlimit --hashlimit-mode srcip --hashlimit-name StopDoS --hashlimit 1/s --hashlimit-burst 3 -j ACCEPT I get Unknown error 18446744073709551615
Do you happen to know why this happens? |
Re: Hardening SRCDS with iptables rules
Quote:
|
All times are GMT -4. The time now is 16:20. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.