The linuxcsf firewall is effective in preventing a small number of ddoscc attacks.

Source: Internet
Author: User
Tags install perl ip ban
The test server was not expected to be attacked, and no preventive measures were taken. The csf firewall is installed to cope with a small number of ddos and cc attacks.

As mentioned in the previous blog, when the number of httpd requests is too large, the number of apache connections is insufficient, and the number of connections is increased. in the case of ddos or cc attacks, the final result is that the system resources are exhausted, resulting in a crash.

The test server was not expected to be attacked, and no preventive measures were taken. The csf firewall is installed, which is quite useful in dealing with a small number of ddos and cc attacks. It has also been used before. please referInstallation and configuration of linux apt firewall. The following is a record of how I discovered and solved the attack.

1. adjusting apache connections will always be full and system resources will be greatly consumed. test servers are not installed with monitoring, nagios, cacti, and munin. You can search by yourself.

2. I checked apache logs and found a certain IP address requesting a certain php, which reached more than 90 thousand in two days. apache logs are rolled, so normally, there cannot be so many, and this is a test server. See.

Ddos attack

The following describes the installation and configuration process.

1. download and install

View copy print?
  1. Wget http://www.configserver.com/free/csf.tgz
  2. Tar-zxvf csf. tgz
  3. Cd csf
  4. Sh install. sh
wget http://www.configserver.com/free/csf.tgztar -zxvf csf.tgzcd csfsh install.sh

If a perl module error is reported,

  1. Yum install perl-libwww-perl
yum install perl-libwww-perl perl

Test the csf.

View copy print?
  1. [Root @ rudder csf] # perl/etc/csf/csftest. pl
  2. Testing ip_tables/iptable_filter... OK
  3. Testing ipt_LOG... OK
  4. Testing ipt_multiport/xt_multiport... OK
  5. Testing ipt_REJECT... OK
  6. Testing ipt_state/xt_state... OK
  7. Testing ipt_limit/xt_limit... OK
  8. Testing ipt_recent... OK
  9. Testing xt_connlimit... OK
  10. Testing ipt_owner/xt_owner... OK
  11. Testing iptable_nat/ipt_REDIRECT... OK
  12. Testing iptable_nat/ipt_DNAT... OK
  13. RESULT: csf shocould function on this server
[root@rudder csf]# perl /etc/csf/csftest.plTesting ip_tables/iptable_filter...OKTesting ipt_LOG...OKTesting ipt_multiport/xt_multiport...OKTesting ipt_REJECT...OKTesting ipt_state/xt_state...OKTesting ipt_limit/xt_limit...OKTesting ipt_recent...OKTesting xt_connlimit...OKTesting ipt_owner/xt_owner...OKTesting iptable_nat/ipt_REDIRECT...OKTesting iptable_nat/ipt_DNAT...OKRESULT: csf should function on this server

2. configure the csf

There are a lot of configuration items in the configuration file, and the basic configuration will not be mentioned. it is available online. How to configure and prevent a small number of ddos and cc attacks

1. Port flood protection

View copy print?
  1. Vim/etc/csf. conf // I made two changes. The first one is as follows:
  2. PORTFLOOD = "22; tcp; 5; 80; tcp; 20; 5"
Vim/etc/csf. conf // I made two changes. The first one is PORTFLOOD = "22; tcp; 5; tcp; 20; 5"

Explanation:

1) If there are more than five connections to tcp port 22 within 300 seconds, at least 300 seconds after the last packet is found to block this IP address from accessing port 22, that is, there are 300 seconds of "quiet" before the blocking is canceled.

2) if there are more than 20 connections connected to tcp port 80 within five seconds, at least 5 seconds after the last packet is found, the IP address will be blocked from accessing port 80, that is, five seconds before the blocking is canceled.

It seems to me that the csf does not only have a wall, but also a network behind it to provide dynamic defense. I feel that this is better.

2. start the csf

  1. [Root @ rudder ~] #/Etc/init. d/csf start
[root@rudder ~]# /etc/init.d/csf start

A lot of information is printed at startup. check whether there is fatal or warning, if not.

View copy print?
  1. Vim/etc/csf. conf // The second part is as follows:
  2. TESTING = "0" // Change TESTING from 1 to 0
Vim/etc/csf. conf // TESTING = "0" // Change TESTING from 1 to 0.

Restart the csf,[Root @ rudder ~] # Csf-r, The restart command is the same as that of the Active Directory filter. There are many similarities between the two iptables-based firewalls.

3. start lfd

  1. [Root @ rudder ~] #/Etc/init. d/lfd start
[root@rudder ~]# /etc/init.d/lfd start

This module has a very important function, that is, recording the defense process. Let's take a look at the effect.

Lfd log

After being blocked for four times, access is permanently disabled. Then I checked it and the IP address was automatically placed under csf. deny.

View copy print?
  1. [Root @ rudder ~] # Cat/etc/csf. deny
  2. ######################################## #######################################
  3. # Copyright 2006-2013, Way to the Web Limited
  4. # URL: http://www.configserver.com
  5. # Email: sales@waytotheweb.com
  6. ######################################## #######################################
  7. # The following IP addresses will be blocked in iptables
  8. # One IP address per line
  9. # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
  10. # Only list IP addresses, not domain names (they will be ignored)
  11. #
  12. # Note: If you add the text "do not delete" to the comments of an entry then
  13. # DENY_IP_LIMIT will ignore those entries and not remove them
  14. #
  15. # Advanced port + ip filtering allowed with the following format
  16. # Tcp/udp | in/out | s/d = port | s/d = ip
  17. #
  18. # See readme.txt for more information regarding advanced port filtering
  19. #
  20. 194.28.70.132 # lfd: (PERMBLOCK) 194.28.70.132 has had more than 4 temp blocks in the last 86400 secs-Mon Mar 11 04:19:14 2013
  21. 64.34.253.35 # lfd: (PERMBLOCK) 64.34.253.35 has had more than 4 temp blocks in the last 86400 secs-Mon Mar 11 21:30:09 2013
[root@rudder ~]# cat /etc/csf/csf.deny ############################################################################### # Copyright 2006-2013, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # The following IP addresses will be blocked in iptables # One IP address per line # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) # Only list IP addresses, not domain names (they will be ignored) # # Note: If you add the text "do not delete" to the comments of an entry then # DENY_IP_LIMIT will ignore those entries and not remove them # # Advanced port+ip filtering allowed with the following format # tcp/udp|in/out|s/d=port|s/d=ip # # See readme.txt for more information regarding advanced port filtering # 194.28.70.132 # lfd: (PERMBLOCK) 194.28.70.132 has had more than 4 temp blocks in the last 86400 secs - Mon Mar 11 04:19:14 2013 64.34.253.35 # lfd: (PERMBLOCK) 64.34.253.35 has had more than 4 temp blocks in the last 86400 secs - Mon Mar 11 21:30:09 2013

Some parameter descriptions are found on the official website:

View copy print?
  1. -H, -- help Show this message // Display this message
  2. -L, -- status List/Show iptables configuration // List/display iptables configuration
  3. -L6, -- status6 List/Show ip6tables configuration // List/display ip6ables configuration
  4. -S, -- start Start firewall rules // enable firewall rules
  5. -F, -- stop Flush/Stop firewall rules (Note: lfd may restart csf) // clear/stop firewall rules (Note: lfd may restart csf)
  6. -R, -- restart Restart firewall rules // re-enable firewall rules
  7. -Q, -- startq Quick restart (csf restarted by lfd) // fast restart (lfd restarts csf)
  8. -Sf, -- startf Force CLI restart regardless of LF_QUICKSTART setting // Force CLI restart regardless of LF_QUICKSTART settings
  9. -A, -- add ip Allow an IP and add to/etc/csf. allow // allow an IP address and add it to/etc/csf. Allow
  10. -Ar, -- addrm ip Remove an IP from/etc/csf. allow and delete rule // delete an IP address from/etc/csf. allow and delete the rule
  11. -D, -- deny ip Deny an IP address and add to/etc/csf. deny // reject an IP address and add it to/etc/csf. deny
  12. -Dr, -- denyrm ip Unblock an IP address and remove from/etc/csf. deny // unblocks an IP address and deletes it from/etc/csf. deny.
  13. -Df, -- denyf Remove and unblock all entries in/etc/csf. deny // delete and block all records in/etc/csf. deny
  14. -G, -- grep ip Search the iptables rules for an IP match (incl. CIDR) // query iptables rules (including CIDR) that match an IP address)
  15. -T, -- temp Displays the current list of temp IP entries and their // TTL display the current temporary IP address and its TTL list
  16. -Tr, -- temprm ip Remove an IPs from the temp IP ban and allow list // Remove IPs from the temporary prohibition and allow IP list
  17. -Td, -- tempdeny ip ttl [-p port] [-d direction]
  18. Add an IP to the temp IP ban list. ttl is how long to // Add an IP to the list of temporary prohibited IP addresses,
  19. Blocks for (default: seconds, can use one suffix of h/m/d) // ttl indicates the port blocking time (default: second, can use an h/m/d suffix)
  20. Optional port. Optional direction of block can be one of: // Optional port. The blocking direction can be either of the following: inbound, outbound, or inbound (default: Inbound)
  21. In, out or inout (default: in)
  22. -Ta, -- tempallow ip ttl [-p port] [-d direction]
  23. Add an IP to the temp IP allow list (default: inout) // Add an IP to the list of temporary allowed IP addresses (default: inbound and outbound)
  24. -Tf, -- tempf Flush all IPs from the temp IP entries // clear all temporary IP records
  25. -Cp, -- cping PING all members in an lfd Cluster PINGlfd group all members
  26. -Cd, -- cdeny ip Deny an IP in a Cluster and add to/etc/csf. deny // reject an IP address in the group and add it to/etc/csf. deny
  27. -Ca, -- callow ip Allow an IP in a Cluster and add to/etc/csf. allow // allow an IP address in the group and add it to/etc/csf. allow
  28. -Cr, -- crm ip Unblock an IP in a Cluster and remove from/etc/csf. deny // unblocks an IP address in the group and removes the IP address from/etc/csf. delete deny
  29. -Cc, -- cconfig [name] [value]
  30. Change configuration option [name] to [value] in a Cluster // Change the configuration option [name] in the group to [value]
  31. -Cf, -- cfile [file] Send [file] in a Cluster to/etc/csf // Send [file] to/etc/csf/in the group/
  32. -Crs, -- crestart Cluster restart csf and lfd // restart the group csf and lfd
  33. -M, -- mail [addr] Display Server Check in HTML or email to [addr] if present // Check the Server in HTML or send an email to the [addr] address. if Yes
  34. -C, -- check Check for updates to csf but do not upgrade // check for csf updates but not updates
  35. -U, -- update Check for updates to csf and upgrade if available // Check for and update the csf, if possible
  36. -Uf Force an update of csf // Force update of csf
  37. -X, -- disable Disable csf and lfd // disable csf and lfd
  38. -E, -- enable Enable csf and lfd if previusly disabled // enable previously disabled csf and lfd
  39. -V, -- version Show csf version // display the csf version
  40. You can use these options to conveniently and quickly control and view the csf. All the csf configuration files are in/etc/csf/, including:
  41. Csf. conf-Main configuration file with comments indicating the purpose of each option
  42. Csf. allow-list of IP addresses and CIDR addresses allowed by the firewall
  43. Csf. deny-list of IP addresses and CIDR addresses not allowed by the firewall
  44. The csf. ignore-lfd should be ignored and the list of IP addresses and CIDR addresses that are not blocked after detection
  45. Csf. * ignore-lists various files that lfd should ignore, users, and IP addresses. For details, see each file.
  46. If you modify any of the above files, you need to restart the csf to take effect. If you use the command line option to add or reject IP addresses, the csf automatically takes effect.
  47. Both csf. allow and csf. deny can comment on the listed IP addresses. The comment must be in the same line as the IP address; otherwise, the IP rotation of csf. deny will delete the comment.
  48. If you directly edit the csf. allow or csf. deny file, whether from shell or whm ui, you must insert # Between the IP address and the comment, as shown below:
  49. Add 11.22.33.44 # because I don't like them
  50. You can also add comments when using the csf-a or csf-d command, but not insert #,:
  51. Add csf-d 11.22.33.44 because I don't like them

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.