[Shadypastbrightfuture]

Hello Everyone,

Since past few days, my server is getting DDos attacks. The bandwidth of attacks is more than what my ISP can handle. I am creating some Firewall rules. if anyone can help me with it, i will really appreciate.

If you know some Firewall/Iptables rules, please let me know. If you know some Anti DDos tool which will work, please let me know.

I have a few questions if you can answer it.
1. What are the ports CS1.6 use except 27015(Game port) and 3306(MySQL) ?
2. What should be the recommended rate-limit for udp and tcp protocol ?
3. Does CS 1.6 use ICMP protocol? If yes, what is recommended rate limit? if
4. what could be the rate limit for tcp-syn ?


Below are some of the Iptables rules i have already tried but did not work.

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6000:6100 -j ACCEPT

iptables -A INPUT -p udp --dport 27015 -j ACCEPT
iptables -A INPUT -m string --string "HLBrute" --algo kmp -j DROP
iptables -A INPUT -m string --string "HLXBrute" --algo kmp -j DROP
iptables -A INPUT -p udp --dport 27015 -m u32 --u32 "0x19&0xff=0xfe" -j DROP

OS : Debian 10

[redebr2818]

Follow the rules i've been using. Note that I use xtables with geoip to block connections from other countries. (https://imanudin.net/2020/06/28/how-...oip-on-ubuntu/)
I've noticed that my server was receiving valid HL packets from servers from around the world. I think that someone was able to use HL servers to attack another HL servers (Reflected DoS).
Hope it helps.

# Allow Gametracker inbound
-A INPUT -s 208.167.241.187/32 -p udp -j ACCEPT
-A INPUT -s 108.61.78.150/32 -p udp -j ACCEPT
-A INPUT -s 108.61.78.149/32 -p udp -j ACCEPT
-A INPUT -s 149.28.43.230/32 -p udp -j ACCEPT
-A INPUT -s 45.77.96.90/32 -p udp -j ACCEPT

# Accept only brazil IPs
-A INPUT -p udp -m geoip ! --source-country BR -j DROP

# Accept UDP DNS
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT

#Accept SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Block fragmented packets
-A INPUT -f -j DROP

# Accept UDP connections to 27015 with extra steps* This is important
-A INPUT -p udp -m udp --dport 27015 -m multiport --sports 1024:1899,1901:2061,2063088,3090:5352,5354: 7129,7131:27014,27016:65535 -m state --state NEW -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name UDPDOSPROTECT --hashlimit-htable-max 999999999 --hashlimit-htable-expire 60000 -m length --length 28:150 -m ttl --ttl-lt 200 -j ACCEPT
# Block no states packets (This is for TCP only)
-A INPUT -m state --state INVALID -j DROP
# Accept already established connections (also TCP only)
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Block anything else
-A INPUT -i eth0 -j DROP

[anderpp]

Quote:

Originally Posted by redebr2818 # Accept UDP DNS -A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT -A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT

I didn't understand this part.
The rule repeat and has an unknown term, DNSIP?

[redebr2818]

Quote:

Originally Posted by anderpp I didn't understand this part. The rule repeat and has an unknown term, DNSIP?

I have 2 recursive DNS Server IPs, that's why. I've noticed many reflected DoS using DNS servers. That's why I allow only my recursive servers.

[DJEarthQuake]

FAIL2BAN

[acobC1989]

Quote:

Originally Posted by DJEarthQuake FAIL2BAN

In 2021? I think it's a bad idea. Fail2Ban is a processor-intensive app given its limited usefulness. A better alternative to Fail2ban is HeatShield, a sister company of ServerPilot.