Firewalls and DDos

#1
So the other night we got hit with a ddos attack. I kept banning Ips and untill it finally it stopped.

I've been reading around and and found some ideas.
I have the VPS firewall and APF.
I read in a few places I should have both active. That I should set the firewall to allow accept and delete all rules. Then restart APF. This seems to work as far as I know it, but I still have an issue with my SHH.
Now they alow said I should install Portsentry to help prevent the attack. But others say it does nothing.

So here's my questions.
What should I set my VPS firewall to?
Any certain tweaks for APF?
Should I install Portsentry to help with DDos?
Why do I have to keep enabling SSH when I want to use it? even if I add the rule. A few days later I have to remove and readd.
 

KH-Paul

CTO
Staff member
#2
Hi,

Neither APF, not firewall management in VZPP will help to fight low traffic DOS attacks directed against, for example, you Apache web server. If these attacks were against your web site, then you may want to check out mod_evasive / mod_dosevasive or layer0's (D)DoS Deflate project at http://blog.medialayer.com/projects-ddos-deflate/

It doesn't make much sense to enable firewall management in VZPP if you use APF - APF will reset all rules according to its own configuration. Your best bet is to disable firewall in VZPP by switching it to advcanced mode with default policy set to "accept".

Regards,
Paul
 
#3
it wasn't my actuall site. But a buddy's site that I host. We know it was a ddos on his site because the person what was doing the attack told us he was just before it happened.

I did see a few times about the mod_Evasicve.
I'm assuming since the site would be maxxed on system resources, when i looked in the VZpp services there would be a whole bunch of etc/.... httpd -dss listings. I would check all those and kill the process and it would go to green from black. then I was able to log into ssh and start banning IPs.
I'm assuming since this is what I was seeing, they were attacking apache?

I will then reset the VZPP firewall then switch to the allow mode.
I'll do some reading on the suggestions and install.

Thanks for your help Paul
 
#4
If you found a decent way to combat these attacks I'd be interested in knowing. I am being hit very hard with them at present and it's a pain having to tackle them 24/7.
 
#6
I put (D)Dos Deflate on last night and it missed quite a few, however I've lowered it's check from 150 connections to 20 which is where I think it was going wrong.

I've just looked in my crontab though and don't see a reference to it, are you able to confirm if you have one in your crontab or if it has it's own somehow? I'm not sure if I need to add it or not.

Thanks
 
#7
I'm kinda new into all of this,

But here's whats in my cron

Code:
upcp
cpbackup
dnsqueue > /dev/null 2>&1
bandmin
ipaddrmap
cpaddons_report.pl --notify
exim_tidydb > /dev/null 2>&1
/dcpumon >/dev/null 2>&1
 
Top