The test server was not expected to be attacked, and no preventive measures were taken. The csf firewall is installed to cope with a small number of ddos and cc attacks.
As mentioned in the previous blog, when the number of httpd requests is too large, the number of apache connections is insufficient, and the number of connections is increased. in the case of ddos or cc attacks, the final result is that the system resources are exhausted, resulting in a crash.
The test server was not expected to be attacked, and no preventive measures were taken. The csf firewall is installed, which is quite useful in dealing with a small number of ddos and cc attacks. It has also been used before. please referInstallation and configuration of linux apt firewall. The following is a record of how I discovered and solved the attack.
1. adjusting apache connections will always be full and system resources will be greatly consumed. test servers are not installed with monitoring, nagios, cacti, and munin. You can search by yourself.
2. I checked apache logs and found a certain IP address requesting a certain php, which reached more than 90 thousand in two days. apache logs are rolled, so normally, there cannot be so many, and this is a test server. See.
Ddos attack
The following describes the installation and configuration process.
1. download and install
View copy print?
- Wget http://www.configserver.com/free/csf.tgz
- Tar-zxvf csf. tgz
- Cd csf
- Sh install. sh
wget http://www.configserver.com/free/csf.tgztar -zxvf csf.tgzcd csfsh install.sh
If a perl module error is reported,
- Yum install perl-libwww-perl
yum install perl-libwww-perl perl
Test the csf.
View copy print?
- [Root @ rudder csf] # perl/etc/csf/csftest. pl
- Testing ip_tables/iptable_filter... OK
- Testing ipt_LOG... OK
- Testing ipt_multiport/xt_multiport... OK
- Testing ipt_REJECT... OK
- Testing ipt_state/xt_state... OK
- Testing ipt_limit/xt_limit... OK
- Testing ipt_recent... OK
- Testing xt_connlimit... OK
- Testing ipt_owner/xt_owner... OK
- Testing iptable_nat/ipt_REDIRECT... OK
- Testing iptable_nat/ipt_DNAT... OK
- RESULT: csf shocould function on this server
[root@rudder csf]# perl /etc/csf/csftest.plTesting ip_tables/iptable_filter...OKTesting ipt_LOG...OKTesting ipt_multiport/xt_multiport...OKTesting ipt_REJECT...OKTesting ipt_state/xt_state...OKTesting ipt_limit/xt_limit...OKTesting ipt_recent...OKTesting xt_connlimit...OKTesting ipt_owner/xt_owner...OKTesting iptable_nat/ipt_REDIRECT...OKTesting iptable_nat/ipt_DNAT...OKRESULT: csf should function on this server
2. configure the csf
There are a lot of configuration items in the configuration file, and the basic configuration will not be mentioned. it is available online. How to configure and prevent a small number of ddos and cc attacks
1. Port flood protection
View copy print?
- Vim/etc/csf. conf // I made two changes. The first one is as follows:
- PORTFLOOD = "22; tcp; 5; 80; tcp; 20; 5"
Vim/etc/csf. conf // I made two changes. The first one is PORTFLOOD = "22; tcp; 5; tcp; 20; 5"
Explanation:
1) If there are more than five connections to tcp port 22 within 300 seconds, at least 300 seconds after the last packet is found to block this IP address from accessing port 22, that is, there are 300 seconds of "quiet" before the blocking is canceled.
2) if there are more than 20 connections connected to tcp port 80 within five seconds, at least 5 seconds after the last packet is found, the IP address will be blocked from accessing port 80, that is, five seconds before the blocking is canceled.
It seems to me that the csf does not only have a wall, but also a network behind it to provide dynamic defense. I feel that this is better.
2. start the csf
- [Root @ rudder ~] #/Etc/init. d/csf start
[root@rudder ~]# /etc/init.d/csf start
A lot of information is printed at startup. check whether there is fatal or warning, if not.
View copy print?
- Vim/etc/csf. conf // The second part is as follows:
- TESTING = "0" // Change TESTING from 1 to 0
Vim/etc/csf. conf // TESTING = "0" // Change TESTING from 1 to 0.
Restart the csf,[Root @ rudder ~] # Csf-r, The restart command is the same as that of the Active Directory filter. There are many similarities between the two iptables-based firewalls.
3. start lfd
- [Root @ rudder ~] #/Etc/init. d/lfd start
[root@rudder ~]# /etc/init.d/lfd start
This module has a very important function, that is, recording the defense process. Let's take a look at the effect.
Lfd log
After being blocked for four times, access is permanently disabled. Then I checked it and the IP address was automatically placed under csf. deny.
View copy print?
- [Root @ rudder ~] # Cat/etc/csf. deny
- ######################################## #######################################
- # Copyright 2006-2013, Way to the Web Limited
- # URL: http://www.configserver.com
- # Email: sales@waytotheweb.com
- ######################################## #######################################
- # The following IP addresses will be blocked in iptables
- # One IP address per line
- # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
- # Only list IP addresses, not domain names (they will be ignored)
- #
- # Note: If you add the text "do not delete" to the comments of an entry then
- # DENY_IP_LIMIT will ignore those entries and not remove them
- #
- # Advanced port + ip filtering allowed with the following format
- # Tcp/udp | in/out | s/d = port | s/d = ip
- #
- # See readme.txt for more information regarding advanced port filtering
- #
- 194.28.70.132 # lfd: (PERMBLOCK) 194.28.70.132 has had more than 4 temp blocks in the last 86400 secs-Mon Mar 11 04:19:14 2013
- 64.34.253.35 # lfd: (PERMBLOCK) 64.34.253.35 has had more than 4 temp blocks in the last 86400 secs-Mon Mar 11 21:30:09 2013
[root@rudder ~]# cat /etc/csf/csf.deny ############################################################################### # Copyright 2006-2013, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # The following IP addresses will be blocked in iptables # One IP address per line # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) # Only list IP addresses, not domain names (they will be ignored) # # Note: If you add the text "do not delete" to the comments of an entry then # DENY_IP_LIMIT will ignore those entries and not remove them # # Advanced port+ip filtering allowed with the following format # tcp/udp|in/out|s/d=port|s/d=ip # # See readme.txt for more information regarding advanced port filtering # 194.28.70.132 # lfd: (PERMBLOCK) 194.28.70.132 has had more than 4 temp blocks in the last 86400 secs - Mon Mar 11 04:19:14 2013 64.34.253.35 # lfd: (PERMBLOCK) 64.34.253.35 has had more than 4 temp blocks in the last 86400 secs - Mon Mar 11 21:30:09 2013
Some parameter descriptions are found on the official website:
View copy print?
- -H, -- help Show this message // Display this message
- -L, -- status List/Show iptables configuration // List/display iptables configuration
- -L6, -- status6 List/Show ip6tables configuration // List/display ip6ables configuration
- -S, -- start Start firewall rules // enable firewall rules
- -F, -- stop Flush/Stop firewall rules (Note: lfd may restart csf) // clear/stop firewall rules (Note: lfd may restart csf)
- -R, -- restart Restart firewall rules // re-enable firewall rules
- -Q, -- startq Quick restart (csf restarted by lfd) // fast restart (lfd restarts csf)
- -Sf, -- startf Force CLI restart regardless of LF_QUICKSTART setting // Force CLI restart regardless of LF_QUICKSTART settings
- -A, -- add ip Allow an IP and add to/etc/csf. allow // allow an IP address and add it to/etc/csf. Allow
- -Ar, -- addrm ip Remove an IP from/etc/csf. allow and delete rule // delete an IP address from/etc/csf. allow and delete the rule
- -D, -- deny ip Deny an IP address and add to/etc/csf. deny // reject an IP address and add it to/etc/csf. deny
- -Dr, -- denyrm ip Unblock an IP address and remove from/etc/csf. deny // unblocks an IP address and deletes it from/etc/csf. deny.
- -Df, -- denyf Remove and unblock all entries in/etc/csf. deny // delete and block all records in/etc/csf. deny
- -G, -- grep ip Search the iptables rules for an IP match (incl. CIDR) // query iptables rules (including CIDR) that match an IP address)
- -T, -- temp Displays the current list of temp IP entries and their // TTL display the current temporary IP address and its TTL list
- -Tr, -- temprm ip Remove an IPs from the temp IP ban and allow list // Remove IPs from the temporary prohibition and allow IP list
- -Td, -- tempdeny ip ttl [-p port] [-d direction]
- Add an IP to the temp IP ban list. ttl is how long to // Add an IP to the list of temporary prohibited IP addresses,
- Blocks for (default: seconds, can use one suffix of h/m/d) // ttl indicates the port blocking time (default: second, can use an h/m/d suffix)
- Optional port. Optional direction of block can be one of: // Optional port. The blocking direction can be either of the following: inbound, outbound, or inbound (default: Inbound)
- In, out or inout (default: in)
- -Ta, -- tempallow ip ttl [-p port] [-d direction]
- Add an IP to the temp IP allow list (default: inout) // Add an IP to the list of temporary allowed IP addresses (default: inbound and outbound)
- -Tf, -- tempf Flush all IPs from the temp IP entries // clear all temporary IP records
- -Cp, -- cping PING all members in an lfd Cluster PINGlfd group all members
- -Cd, -- cdeny ip Deny an IP in a Cluster and add to/etc/csf. deny // reject an IP address in the group and add it to/etc/csf. deny
- -Ca, -- callow ip Allow an IP in a Cluster and add to/etc/csf. allow // allow an IP address in the group and add it to/etc/csf. allow
- -Cr, -- crm ip Unblock an IP in a Cluster and remove from/etc/csf. deny // unblocks an IP address in the group and removes the IP address from/etc/csf. delete deny
- -Cc, -- cconfig [name] [value]
- Change configuration option [name] to [value] in a Cluster // Change the configuration option [name] in the group to [value]
- -Cf, -- cfile [file] Send [file] in a Cluster to/etc/csf // Send [file] to/etc/csf/in the group/
- -Crs, -- crestart Cluster restart csf and lfd // restart the group csf and lfd
- -M, -- mail [addr] Display Server Check in HTML or email to [addr] if present // Check the Server in HTML or send an email to the [addr] address. if Yes
- -C, -- check Check for updates to csf but do not upgrade // check for csf updates but not updates
- -U, -- update Check for updates to csf and upgrade if available // Check for and update the csf, if possible
- -Uf Force an update of csf // Force update of csf
- -X, -- disable Disable csf and lfd // disable csf and lfd
- -E, -- enable Enable csf and lfd if previusly disabled // enable previously disabled csf and lfd
- -V, -- version Show csf version // display the csf version
- You can use these options to conveniently and quickly control and view the csf. All the csf configuration files are in/etc/csf/, including:
- Csf. conf-Main configuration file with comments indicating the purpose of each option
- Csf. allow-list of IP addresses and CIDR addresses allowed by the firewall
- Csf. deny-list of IP addresses and CIDR addresses not allowed by the firewall
- The csf. ignore-lfd should be ignored and the list of IP addresses and CIDR addresses that are not blocked after detection
- Csf. * ignore-lists various files that lfd should ignore, users, and IP addresses. For details, see each file.
- If you modify any of the above files, you need to restart the csf to take effect. If you use the command line option to add or reject IP addresses, the csf automatically takes effect.
- Both csf. allow and csf. deny can comment on the listed IP addresses. The comment must be in the same line as the IP address; otherwise, the IP rotation of csf. deny will delete the comment.
- If you directly edit the csf. allow or csf. deny file, whether from shell or whm ui, you must insert # Between the IP address and the comment, as shown below:
- Add 11.22.33.44 # because I don't like them
- You can also add comments when using the csf-a or csf-d command, but not insert #,:
- Add csf-d 11.22.33.44 because I don't like them