The test server was not expected to be attacked, and no preventive measures were taken. The csf firewall is installed to handle a small number of ddos and cc attacks, which is quite useful. We have also used the TDS before. For details, refer to the linux TDS firewall installation and configuration. The following is a record of how I discovered and solved the attack.
1. Adjusting apache connections will always be full and system resources will be greatly consumed. Test servers are not installed with monitoring, nagios, cacti, and munin. You can search by yourself.
2. I checked apache logs and found a certain IP address requesting a certain php, which reached more than 90 thousand in two days. apache logs are rolled, so normally, there cannot be so many, and this is a test server. See.
Ddos Attack
The following describes the installation and configuration process.
1. Download and install
wget http://www.configserver.com/free/csf.tgztar -zxvf csf.tgz cd csf sh install.sh
If a perl module error is reported,
Yum install perl-libwww-perl
Test the csf.
[root@rudder csf]# perl /etc/csf/csftest.pl Testing ip_tables/iptable_filter...OK Testing ipt_LOG...OK Testing ipt_multiport/xt_multiport...OK Testing ipt_REJECT...OK Testing ipt_state/xt_state...OK Testing ipt_limit/xt_limit...OK Testing ipt_recent...OK Testing xt_connlimit...OK Testing ipt_owner/xt_owner...OK Testing iptable_nat/ipt_REDIRECT...OK Testing iptable_nat/ipt_DNAT...OK RESULT: csf should function on this server
2. Configure the csf
There are a lot of configuration items in the configuration file, and the basic configuration will not be mentioned. It is available online. How to configure and prevent a small number of ddos and cc attacks
1. Port flood protection
Vim/etc/csf. conf // I made two changes. The first one is as follows:
PORTFLOOD = "22; tcp; 5; 80; tcp; 20; 5"
Explanation:
1) if there are more than five connections to tcp port 22 within 300 seconds, at least 300 seconds after the last packet is found to block this IP address from accessing port 22, that is, there are 300 seconds of "quiet" before the blocking is canceled.
2) if there are more than 20 connections connected to tcp port 80 within five seconds, at least 5 seconds after the last packet is found, the IP address will be blocked from accessing port 80, that is, five seconds before the blocking is canceled.
It seems to me that the csf does not only have a wall, but also a network behind it to provide dynamic defense. I feel that this is better.
2. Start the csf
[Root @ rudder ~] #/Etc/init. d/csf start
A lot of information is printed at startup. check whether there is fatal or warning, if not.
View copy print?
Vim/etc/csf. conf // the second part is as follows:
TESTING = "0" // change TESTING from 1 to 0
Restart the csf and [root @ rudder ~] # The restart command of the csf-r is the same as that of the Active Directory filter. There are many similarities between the two iptables-based firewalls.
3. Start lfd
[Root @ rudder ~] #/Etc/init. d/lfd start
This module has a very important function, that is, recording the defense process. Let's take a look at the effect.
Lfd log
After being blocked for four times, access is permanently disabled. Then I checked it and the IP address was automatically placed under csf. deny.
View copy print?
[root@rudder ~]# cat /etc/csf/csf.deny ############################################################################### # Copyright 2006-2013, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # The following IP addresses will be blocked in iptables # One IP address per line # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) # Only list IP addresses, not domain names (they will be ignored) # # Note: If you add the text "do not delete" to the comments of an entry then # DENY_IP_LIMIT will ignore those entries and not remove them # # Advanced port+ip filtering allowed with the following format # tcp/udp|in/out|s/d=port|s/d=ip # # See readme.txt for more information regarding advanced port filtering # 194.28.70.132 # lfd: (PERMBLOCK) 194.28.70.132 has had more than 4 temp blocks in the last 86400 secs - Mon Mar 11 04:19:14 2013 64.34.253.35 # lfd: (PERMBLOCK) 64.34.253.35 has had more than 4 temp blocks in the last 86400 secs - Mon Mar 11 21:30:09 2013
Some parameter descriptions are found on the official website:
-H, -- help Show this message // display this message-l, -- status List/Show iptables configuration // List/display iptables configuration-l6, -- status6 List/Show ip6tables configuration // List/display ip6ables configuration-s, -- start Start firewall rules // Enable firewall rules-f, -- stop Flush/Stop firewall rules (Note: lfd may restart csf) // clear/Stop firewall rules (Note: lfd may restart csf)-r, -- Restart restart firewall rules // re-Enable firewall rules-q, -- startq Quick restart (csf restarted by lfd )// Fast restart (lfd restart csf)-sf, -- startf Force CLI restart regardless of LF_QUICKSTART setting // Force CLI restart-a regardless of LF_QUICKSTART settings, -- add ip Allow an IP and add to/etc/csf. allow // allow an IP address and add it to/etc/csf. allow-ar, -- addrm ip Remove an IP from/etc/csf. allow anddelete rule // from/etc/csf. allow deletes an IP address and deletes the rule-d, -- deny ip Deny an IP address and add to/etc/csf. deny // reject an IP address and add it to/etc/csf. deny-dr, -- denyrm ip Un Block an IP and remove from/etc/csf. deny // unblocks an IP address and removes it from/etc/csf. delete-df, -- denyf Remove and unblock all entries in/etc/csf in deny. deny // Delete and remove/etc/csf. -g, -- grep ip Search the iptables rules for an IP match (incl. CIDR) // query iptables rules (including CIDR) that match an IP address-t, -- temp Displays the current list of temp IP entries and their // TTL Displays the current temporary IP address and Its TTL list-tr, -- temprm ip Remove an IPs from The temp IP ban and allow list // You can temporarily disable and allow the IP address list to delete IPs-td, -- tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to // Add an IP address to the list of temporary prohibited IP addresses, blocks for (default: seconds, can use one suffix of h/m/d) // ttl indicates the port blocking time (default: Second, you can use an h/m/d suffix) Optional port. optional direction of block can be one of: // Optional port. The blocking direction can be either of the following: inbound, outbound, or inbound (default: Inbound) in, out or inout (default: in)-ta, -- tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default: inout) // Add an IP address to the list of temporary allowed IP addresses (default: Inbound and Outbound)-tf, -- tempf Flush all IPs from the temp IP entries // clear all temporary IP records-cp, -- cping PING all members in an lfd Cluster PINGlfd group members-cd, -- cdeny ip Deny an IP in a Cluster and add to/etc/csf. deny // reject an IP address in the group and add it to/etc/c Sf/csf. deny-ca, -- callow ip Allow an IP in a Cluster and add to/etc/csf. allow // allow an IP address in the group and add it to/etc/csf. allow-cr, -- crm ip Unblock an IP in a Cluster and remove from/etc/csf. deny // unblocks an IP address in the group and removes the IP address from/etc/csf. deny Delete-cc, -- cconfig [name] [value] Change configuration option [name] to [value] in a Cluster // Change the configuration option [name] in the group to [value]-cf, -- cfile [file] Send [file] in a Cluster to/etc/csf/ // Send [file] to/etc/csf/-crs in the group, -- crestart Cluster restart csf and lfd // restart the group csf and lfd-m, -- mail [addr] Display Server Check in HTML or email to [addr] if present // Check the Server in HTML or send an email to the [addr] address. if yes,-c, -- check Check for updates to csf but do not upgrade // check for csf updates but not updates-u, -- update Check for updates to csf and upgrade if available // Check for csf updates and updates. if possible,-uf Force an update of csf // Force update of csf-x, -- disable Disa Ble csf and lfd // disable csf and lfd-e, -- enable Enable csf and lfd if previusly disabled // enable previously disabled csf and lfd-v, -- version Show csf version // you can use these options to conveniently control and view the csf version. All the csf configuration files are in/etc/csf/, including: csf. conf-main configuration file, which has the annotation csf that describes the purpose of each option. allow-the list of IP addresses and CIDR addresses allowed by the firewall. deny-the list of IP addresses and CIDR addresses that are not allowed by the firewall. ignore-lfd should be ignored, and the list of IP addresses and CIDR addresses that are not blocked after the detection is csf. * ignore-lists various files that lfd should ignore, users, and IP addresses. For details, see each file. If you modify any of the above files, you need to restart the csf to take effect. If you use the command line option to add or reject IP addresses, the csf automatically takes effect. Both csf. allow and csf. deny can comment on the listed IP addresses. The comment must be in the same line as the IP address; otherwise, the IP rotation of csf. deny will delete the comment. If you directly edit the csf. allow or csf. deny file, whether from shell or whm ui, you must insert # Between the IP address and comment, as follows: add 11.22.33.44 # Because I don't like them, you can also add comments when using the csf-a or csf-d command, but not insert #,: add csf-d 11.22.33.44 because I don't like them