-
Notifications
You must be signed in to change notification settings - Fork 1k
Basic DoS Protection
To cut a long story short, I've been doing recon on pools running MPOS using various methods. Anyway, The general consensus is that most of you have never heard of a Firewall
So just blindly paste the code block at the bottom into your terminal. I'll give you a really brief explanation of what they do
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
- We are Adding an INPUT rule.
- -p tcp --dport 80 = We are looking for TCP traffic over port 80
- we are applying this to any new connections meeting the above conditions.
- We then limit the amount of "packets" that can be sent to 200, And when that limit is reached, We limit further attempts to 50 "packets" (In essence, You speed up for no reason, We slow you down)
- We Jump to ACCEPT the packet and send it to its destination without further questioning.
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
- We are Adding an INPUT rule
- This is going to apply to already established connections and their related connections.
- We limit their requests to 50 packets a second (A "normal" person shouldn't need more then that)
- Again we Jump to ACCEPT those packets.
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
There's "a-lot" going here, So i will sum it up by saying, We are dropping packets from lame script kiddies, and anything else that isn't complete or compliant. No self respecting firewall should be lacking these rules by default (Yet they all are) This should protect you from lame flood attacks, well at least the ones not launched by "professionals"
sudo iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
sudo iptables -A PORT-SCANNING j DROP
We create a new chain to monitor PORT SCANNING attempts, And then DROP them all on their head if they flood us. You may want to also create a log file, But we won't do that because theirs quota considerations you need to make.
sudo iptables -A INPUT -s YOURSERVERIP/32 -j DROP
This one isn't a copy and paste. This will protect you from Spoofed IP's pretending to be you, Although this should be caught already by the above rules its better to be safe then DoS'd
sudo iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
Basically, A really cool and easy way to kill a server, Is send a whole heap of packets at it with every single option, To avoid DoSing ourselves, We first specify we want to check all flags and then we make exceptions for the options that are "Mandatory" and then drop anything else we deem suspect.
sudo iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
OR IF YOUR NOT USING IT, DROP IT I'll let you decide which one is right You also have the option of specify what types of ICMP packets you want to drop, But you can read about that somewhere.
sudo iptables -A INPUT -p icmp -j DROP
First, Go read about what ICMP is. Then scratch your head about its legitimate existence. Anyway, What this rule does is limits the requests to what is still a a pretty high level of 1 every 2 seconds. You don't want your server to be spammed with these.
Open, So you managed to get around the malformed packet filter, Good for you.
sudo iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
If your having real problems with SYN floods, Then you can use this to SEVERELY limit new connections. If you already added the rule at the top you need to run this before you add the above rule:
sudo iptables -D INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -j DROP
sudo iptables -A OUTPUT -p udp -j DROP
- You might consider installing APF firewall.
- You might consider installing (D)DosDeflate.
- You probably (you do) want to drop everything your not using. (research)
- This is NOT the end of your IP Tables adventure, This is just to wake you up to the idea.
Please note, There are rules missing that require actual reading.
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
sudo iptables -A PORT_SCANNING -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
sudo iptables -A PORT-SCANNING j DROP
DO NOT TRY TO LIMIT YOUR STRATUM PORT, You will CRASH your firewall.
We haven't bothered with OUTPUT chains because you shouldn't be running programs you don't trust, And with that said, If you think your infected best practice is to flash a back up or start again and get it right.
want a server set up? you can contact me @[email protected]@ (Remove the leading and ending @) There are plenty more rules even a basic server should have.
I also do custom setups for servers that want to hide behind cloud flare effectively.
You can check how effective your rules are by running the following command:
iptables --list --verbose
You want to look at the pkts
and bytes
columns,
This will show you how much traffic each rule has evaluated successfully.
Example: (From Time of Posting)
K,URG/NONE
pkts bytes
18307 2900K DROP
If i helped you mitigate a DoS attack, Send me a prize: fad0d5602884e23fd9a044ab1870fdb6dc2c5ac4 (Cryptsy Trade Key)
-
- installation of Redis requires TCL 8.5 or newer TCL Download Page