Raised This Month: $70 Target: $400
 17% 

Anti DDos Debian 10


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Shadypastbrightfuture
Junior Member
Join Date: Sep 2020
Location: Sky
Old 01-10-2021 , 17:29   Anti DDos Debian 10
Reply With Quote #1

Hello Everyone,

Since past few days, my server is getting DDos attacks. The bandwidth of attacks is more than what my ISP can handle. I am creating some Firewall rules. if anyone can help me with it, i will really appreciate.

If you know some Firewall/Iptables rules, please let me know. If you know some Anti DDos tool which will work, please let me know.

I have a few questions if you can answer it.
1. What are the ports CS1.6 use except 27015(Game port) and 3306(MySQL) ?
2. What should be the recommended rate-limit for udp and tcp protocol ?
3. Does CS 1.6 use ICMP protocol? If yes, what is recommended rate limit? if
4. what could be the rate limit for tcp-syn ?


Below are some of the Iptables rules i have already tried but did not work.

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 6000:6100 -j ACCEPT

iptables -A INPUT -p udp --dport 27015 -j ACCEPT
iptables -A INPUT -m string --string "HLBrute" --algo kmp -j DROP
iptables -A INPUT -m string --string "HLXBrute" --algo kmp -j DROP
iptables -A INPUT -p udp --dport 27015 -m u32 --u32 "0x19&0xff=0xfe" -j DROP

OS : Debian 10
Shadypastbrightfuture is offline
redebr2818
New Member
Join Date: Jan 2021
Old 01-10-2021 , 19:28   Re: Anti DDos Debian 10
Reply With Quote #2

Follow the rules i've been using. Note that I use xtables with geoip to block connections from other countries. (https://imanudin.net/2020/06/28/how-...oip-on-ubuntu/)
I've noticed that my server was receiving valid HL packets from servers from around the world. I think that someone was able to use HL servers to attack another HL servers (Reflected DoS).
Hope it helps.

# Allow Gametracker inbound
-A INPUT -s 208.167.241.187/32 -p udp -j ACCEPT
-A INPUT -s 108.61.78.150/32 -p udp -j ACCEPT
-A INPUT -s 108.61.78.149/32 -p udp -j ACCEPT
-A INPUT -s 149.28.43.230/32 -p udp -j ACCEPT
-A INPUT -s 45.77.96.90/32 -p udp -j ACCEPT

# Accept only brazil IPs
-A INPUT -p udp -m geoip ! --source-country BR -j DROP

# Accept UDP DNS
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT

#Accept SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Block fragmented packets
-A INPUT -f -j DROP

# Accept UDP connections to 27015 with extra steps* This is important
-A INPUT -p udp -m udp --dport 27015 -m multiport --sports 1024:1899,1901:2061,2063088,3090:5352,5354: 7129,7131:27014,27016:65535 -m state --state NEW -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 3 --hashlimit-mode srcip,dstport --hashlimit-name UDPDOSPROTECT --hashlimit-htable-max 999999999 --hashlimit-htable-expire 60000 -m length --length 28:150 -m ttl --ttl-lt 200 -j ACCEPT
# Block no states packets (This is for TCP only)
-A INPUT -m state --state INVALID -j DROP
# Accept already established connections (also TCP only)
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Block anything else
-A INPUT -i eth0 -j DROP
redebr2818 is offline
anderpp
Junior Member
Join Date: Feb 2018
Old 01-17-2021 , 15:17   Re: Anti DDos Debian 10
Reply With Quote #3

Quote:
Originally Posted by redebr2818 View Post
# Accept UDP DNS
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s DNSIP/32 -p udp -m udp --sport 53 -j ACCEPT
I didn't understand this part.
The rule repeat and has an unknown term, DNSIP?
anderpp is offline
redebr2818
New Member
Join Date: Jan 2021
Old 01-17-2021 , 17:47   Re: Anti DDos Debian 10
Reply With Quote #4

Quote:
Originally Posted by anderpp View Post
I didn't understand this part.
The rule repeat and has an unknown term, DNSIP?
I have 2 recursive DNS Server IPs, that's why. I've noticed many reflected DoS using DNS servers. That's why I allow only my recursive servers.
redebr2818 is offline
DJEarthQuake
Veteran Member
Join Date: Jan 2014
Location: Astral planes
Old 01-26-2021 , 16:56   Re: Anti DDos Debian 10
Reply With Quote #5

FAIL2BAN
__________________
"It's not the actual programming that's interesting. But it's what you can accomplish with the end results that are important." -Dennis Ritchie
"Mathematics, rightly viewed, possesses not only truth, but supreme beauty a beauty cold and austere, like that of sculpture..." -Bertrand Russell
DJEarthQuake is offline
acobC1989
Zero Posts
Join Date: Feb 2021
Location: USA
Old 02-12-2021 , 11:10   Re: Anti DDos Debian 10
Reply With Quote #6

Quote:
Originally Posted by DJEarthQuake View Post
FAIL2BAN
In 2021? I think it's a bad idea. Fail2Ban is a processor-intensive app given its limited usefulness. A better alternative to Fail2ban is HeatShield, a sister company of ServerPilot.
acobC1989 is offline
DJEarthQuake
Veteran Member
Join Date: Jan 2014
Location: Astral planes
Old 03-12-2021 , 15:27   Re: Anti DDos Debian 10
Reply With Quote #7

On a cheap VPS it is part of the cost of doing business. Be sure to maintain a good relationship with your provider. On a dedicated line my FAIL2BAN is never past 0.3 CPU on what I consider stone-age hardware and active ddos. Just a single core.

Their homepage mission statement:
Quote:
HeatShield allows you to easily manage all of your servers' firewalls without having to SSH into them again.
Being in root shell will always put admin 1 up on them. This discounts that and misleads innocents otherwise and wants money.

Quote:
Originally Posted by DJEarthQuake View Post
Bad idea. Upgrades overwrite jail.conf.


According to this article https://gamebanana.com/threads/128192
cstrike-planet.com disappeared 11 years ago. [counter-strike] has been default in fail2ban years before this thread was written.

I see IP rules threads to offloading module threads while we have had one all along with fail2ban preconfigured. The logpath is out of date and needs to point to /var/log/messages in most instances.

Code:
/etc/fail2ban/jail.conf [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log # Firewall: <a href="http://www.cstrike-planet.com/faq/6" target="_blank" rel="nofollow noopener">http://www.cstrike-planet.com/faq/6</a> tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]            %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
Quote:
Originally Posted by DJEarthQuake View Post
Fail2ban helps. Malformed packets can be tagged for later control.

server.cfg
Default hlds settings.
//max_queries_sec : 3
//max_queries_sec_global : 30
//max_queries_window : 60


More sensitive
max_queries_sec 2
max_queries_sec_global 15
max_queries_window 30

Easy test.
Refresh server a bunch of times one will see "...was blocked for exceeding rate limits"


/etc/fail2ban/filter.d/gearbox.conf
Code:
# Fail2Ban filter for ddos for GoldSrc
#
#

[Definition]

failregex = : Traffic from <HOST>:(\d{1,5}) was blocked for exceeding rate limits

ignoreregex =

[Init]

datepattern = %%m/%%d/%%Y - %%H:%%M:%%S

# Author: SPiNX March 2020

jail.local
Code:
[hlds-ddos]
enabled = true
maxretry = 50
findtime  = 100
bantime = 900
logpath = /var/log/messages
tcpport = 27005,27015,27016,27017,27018,27019,27020.27030
udpport = 27005,27015,27016,27017,27018,27019,27020,27030
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

[gearbox]
enabled = true
maxretry = 2
bantime = 1800
findtime  = 10
logpath = /home/TUT/Steam/steamapps/common/Half-Life/cstrike/qconsole.log
		  /home/TUT/Steam/steamapps/common/Half-Life/dod/qconsole.log
		  /home/TUT/Steam/steamapps/common/Half-Life/gearbox/qconsole.log

banaction = %(banaction_allports)s
Be sure to pay attention to or rotate qconsole.log it gets big fast.
https://developer.valvesoftware.com/...d_Line_Options
-condebug - Stores console output to "Half-Life\qconsole.log".

fail2ban-client status
Code:
Status
|- Number of jail:	6
`- Jail list:	gearbox, hlds-ddos, nginx-botsearch, nginx-http-auth, nginx-limit-req, sshd
Nobody even bothers anymore. Earlier this year it was very active banning bad guys.

fail2ban-client status hlds-ddos
Code:
Status for the jail: hlds-ddos
|- Filter
|  |- Currently failed:	3
|  |- Total failed:	18841
|  `- File list:	/var/log/messages
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:


|- Currently banned: 95
|- Total banned: 1431
__________________
"It's not the actual programming that's interesting. But it's what you can accomplish with the end results that are important." -Dennis Ritchie
"Mathematics, rightly viewed, possesses not only truth, but supreme beauty a beauty cold and austere, like that of sculpture..." -Bertrand Russell

Last edited by DJEarthQuake; 03-13-2021 at 10:17. Reason: Forgot about cheap VPS! Just lease 4 cores!!
DJEarthQuake is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 04:38.


Powered by vBulletin®
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Theme made by Freecode