Firewalls and DDos

Discussion in 'Linux VPS/Dedicated - General' started by computervitals, Apr 2, 2007.

  1. computervitals

    computervitals New Member

    So the other night we got hit with a ddos attack. I kept banning Ips and untill it finally it stopped.

    I've been reading around and and found some ideas.
    I have the VPS firewall and APF.
    I read in a few places I should have both active. That I should set the firewall to allow accept and delete all rules. Then restart APF. This seems to work as far as I know it, but I still have an issue with my SHH.
    Now they alow said I should install Portsentry to help prevent the attack. But others say it does nothing.

    So here's my questions.
    What should I set my VPS firewall to?
    Any certain tweaks for APF?
    Should I install Portsentry to help with DDos?
    Why do I have to keep enabling SSH when I want to use it? even if I add the rule. A few days later I have to remove and readd.
     
  2. KH-Paul

    KH-Paul CTO Staff Member

    Hi,

    Neither APF, not firewall management in VZPP will help to fight low traffic DOS attacks directed against, for example, you Apache web server. If these attacks were against your web site, then you may want to check out mod_evasive / mod_dosevasive or layer0's (D)DoS Deflate project at http://blog.medialayer.com/projects-ddos-deflate/

    It doesn't make much sense to enable firewall management in VZPP if you use APF - APF will reset all rules according to its own configuration. Your best bet is to disable firewall in VZPP by switching it to advcanced mode with default policy set to "accept".

    Regards,
    Paul
     
  3. computervitals

    computervitals New Member

    it wasn't my actuall site. But a buddy's site that I host. We know it was a ddos on his site because the person what was doing the attack told us he was just before it happened.

    I did see a few times about the mod_Evasicve.
    I'm assuming since the site would be maxxed on system resources, when i looked in the VZpp services there would be a whole bunch of etc/.... httpd -dss listings. I would check all those and kill the process and it would go to green from black. then I was able to log into ssh and start banning IPs.
    I'm assuming since this is what I was seeing, they were attacking apache?

    I will then reset the VZPP firewall then switch to the allow mode.
    I'll do some reading on the suggestions and install.

    Thanks for your help Paul
     
  4. lalaland

    lalaland New Member

    If you found a decent way to combat these attacks I'd be interested in knowing. I am being hit very hard with them at present and it's a pain having to tackle them 24/7.
     
  5. computervitals

    computervitals New Member

    I did the:
    layer0's (D)DoS Deflate project at http://blog.medialayer.com/projects-ddos-deflate/

    And reset the firewall, then shut down APF and restarted it. So far it's helped a great deal, When an attack happens, I can get into SSH and start banning.

    From what I read, there is no way to "prevent" the attack, only thing to help reduce the attack.
     
  6. lalaland

    lalaland New Member

    I put (D)Dos Deflate on last night and it missed quite a few, however I've lowered it's check from 150 connections to 20 which is where I think it was going wrong.

    I've just looked in my crontab though and don't see a reference to it, are you able to confirm if you have one in your crontab or if it has it's own somehow? I'm not sure if I need to add it or not.

    Thanks
     
  7. computervitals

    computervitals New Member

    I'm kinda new into all of this,

    But here's whats in my cron

    Code:
    upcp
    cpbackup
    dnsqueue > /dev/null 2>&1
    bandmin
    ipaddrmap
    cpaddons_report.pl --notify
    exim_tidydb > /dev/null 2>&1
    /dcpumon >/dev/null 2>&1
    
     

Share This Page