Veteran Member
Join Date: Jan 2014
Location: Astral planes
|
03-12-2021
, 15:27
Re: Anti DDos Debian 10
|
#7
|
On a cheap VPS it is part of the cost of doing business. Be sure to maintain a good relationship with your provider. On a dedicated line my FAIL2BAN is never past 0.3 CPU on what I consider stone-age hardware and active ddos. Just a single core.
Their homepage mission statement:
Quote:
HeatShield allows you to easily manage all of your servers' firewalls without having to SSH into them again.
|
Being in root shell will always put admin 1 up on them. This discounts that and misleads innocents otherwise and wants money.
Quote:
Originally Posted by DJEarthQuake
Bad idea. Upgrades overwrite jail.conf.
According to this article https://gamebanana.com/threads/128192
cstrike-planet.com disappeared 11 years ago. [counter-strike] has been default in fail2ban years before this thread was written.
I see IP rules threads to offloading module threads while we have had one all along with fail2ban preconfigured. The logpath is out of date and needs to point to /var/log/messages in most instances.
Code:
/etc/fail2ban/jail.conf
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: <a href="http://www.cstrike-planet.com/faq/6" target="_blank" rel="nofollow noopener">http://www.cstrike-planet.com/faq/6</a>
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
Quote:
Originally Posted by DJEarthQuake
Fail2ban helps. Malformed packets can be tagged for later control.
server.cfg
Default hlds settings.
//max_queries_sec : 3
//max_queries_sec_global : 30
//max_queries_window : 60
More sensitive
max_queries_sec 2
max_queries_sec_global 15
max_queries_window 30
Easy test.
Refresh server a bunch of times one will see "...was blocked for exceeding rate limits"
/etc/fail2ban/filter.d/gearbox.conf
Code:
# Fail2Ban filter for ddos for GoldSrc
#
#
[Definition]
failregex = : Traffic from <HOST>:(\d{1,5}) was blocked for exceeding rate limits
ignoreregex =
[Init]
datepattern = %%m/%%d/%%Y - %%H:%%M:%%S
# Author: SPiNX March 2020
jail.local
Code:
[hlds-ddos]
enabled = true
maxretry = 50
findtime = 100
bantime = 900
logpath = /var/log/messages
tcpport = 27005,27015,27016,27017,27018,27019,27020.27030
udpport = 27005,27015,27016,27017,27018,27019,27020,27030
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
[gearbox]
enabled = true
maxretry = 2
bantime = 1800
findtime = 10
logpath = /home/TUT/Steam/steamapps/common/Half-Life/cstrike/qconsole.log
/home/TUT/Steam/steamapps/common/Half-Life/dod/qconsole.log
/home/TUT/Steam/steamapps/common/Half-Life/gearbox/qconsole.log
banaction = %(banaction_allports)s
Be sure to pay attention to or rotate qconsole.log it gets big fast.
https://developer.valvesoftware.com/...d_Line_Options
-condebug - Stores console output to "Half-Life\qconsole.log".
fail2ban-client status
Code:
Status
|- Number of jail: 6
`- Jail list: gearbox, hlds-ddos, nginx-botsearch, nginx-http-auth, nginx-limit-req, sshd
Nobody even bothers anymore. Earlier this year it was very active banning bad guys.
fail2ban-client status hlds-ddos
Code:
Status for the jail: hlds-ddos
|- Filter
| |- Currently failed: 3
| |- Total failed: 18841
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
|
|- Currently banned: 95
|- Total banned: 1431
__________________
Last edited by DJEarthQuake; 03-13-2021 at 10:17.
Reason: Forgot about cheap VPS! Just lease 4 cores!!
|
|