Raised This Month: $ Target: $400
 0% 

Block ddos steam Fail2Ban


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
biernot80
New Member
Join Date: Oct 2009
Old 10-20-2009 , 17:57   Re: Block ddos steam Fail2Ban
Reply With Quote #1

Doesnt work, on our Server Linux/Deabian
we goes s 23h DDoSed from 24h xD
is installed as the "HowTo" is


what for settings u need to see if all ok?

fail2ban.conf
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 412 $
#

[Definition]

# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3

# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR.
# Values:  STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communication with the
#         daemon.
# Values: FILE  Default:  /tmp/fail2ban.sock
#
socket = /tmp/fail2ban.sock


jail.conf

Code:
# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
#  for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <[email protected]>
#
# $Revision: 281 $
#

# The DEFAULT allows a global definition of the options. They can be override
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
#      This issue left ToDo, so polling is default backend for now
backend = polling

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost

# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]

# Following actions can be chosen as an alternatives to the above action.
# To activate, just copy/paste+uncomment chosen 2 (excluding comments) lines
# into jail.local

# Default action to take: ban & send an e-mail with whois report
# to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois[name=%(__name__)s, dest=%(destemail)s]

# Default action to take: ban & send an e-mail with whois report 
# and relevant log lines to the destemail.
# action = iptables[name=%(__name__)s, port=%(port)s]
#          mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]
 
# Next jails corresponds to the standard configuration in Fail2ban 0.6
# which was shipped in Debian. Please enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true
#
# in /etc/fail2ban/jail.local.
#

[ssh]

enabled = true
port    = ssh
filter    = sshd
logpath  = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = true
port    = http
filter    = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6


[apache-noscript]

enabled = true
port    = http
filter  = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

#
# FTP servers
#

[vsftpd]

enabled  = true
port     = ftp
filter   = vsftpd
logpath  = /var/log/auth.log
maxretry = 6


[proftpd]

enabled  = true
port     = ftp
filter   = proftpd
logpath  = /var/log/proftpd/proftpd.log
maxretry = 6


[wuftpd]

enabled  = true
port     = ftp
filter   = wuftpd
logpath  = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled  = true
port     = smtp
filter   = postfix
logpath  = /var/log/postfix.log


[couriersmtp]

enabled  = true
port     = smtp
filter   = couriersmtp
logpath  = /var/log/mail.log


[sasl]

enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log

[ddos]
enabled = true
port      = 27015,27025,27045,27050,27055,28000,29000
protocol = udp
filter = ddos
logpath = /var/log/messages.log
maxretry = 3
bantime = 6000
#action = iptables-multiport[name=ddos, port=27015,27025,27045,27050,27055,28000,29000, protocol=udp]
27015,27025,27045,27050,27055 thats our Counter Strike Source Ports
27015,27045 gets always DDoS

filter.d/ddos.conf
Code:
[Definition]

failregex= IPTABLES-FLOOD LENGTH (28|48): IN=eth0 OUT= MAC=[a-zA-F0-9:]+ SRC=<HOST> DST=([0-9]{1,3}\.?){4} LEN=28
zBlock works fine, but we can add it.
we have a Zombieserver and zBlock doesnt work with Zombiemod.
it crash always the server.

Last edited by biernot80; 10-20-2009 at 18:19.
biernot80 is offline
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 18:05.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode