Thread: DDOS attack on VPS!!!!
View Single Post

  #2 (permalink)  
Old 11-23-2006, 03:09 PM
rockdalinux's Avatar
rockdalinux rockdalinux is offline
Contributors
User
  
Join Date: May 2005
Location: Bangalore
My distro: RHEL, HP-UX, Solaris, FreeBSD, Ubuntu
Posts: 581
Rep Power: 7
rockdalinux is a jewel in the rough rockdalinux is a jewel in the rough rockdalinux is a jewel in the rough rockdalinux is a jewel in the rough
Default
Hello,

Sorry to hear about your problem. If you just need to block IPs try something as follows which is modified from original script.

First create file /root/allbadips.txt and append all bad ips to this file.

Now create script as follows called /root/fw.start. Setup it as follows:
Setup all VPS IPS separated by a black space, if you have 3 ips such as 202.51.1.1, 202.51.1.2 and 202.51.1.3
Code:
myIP="202.51.1.1 202.51.1.2  202.51.1.3"
Setup VPS main IP here which is bind to Apache port 80, if it is 202.51.1.3
Code:
ip="202.51.1.3"
Setup your DNS name server IPS, if it is 55.1.23.5 and 55.1.23.6
# ISP name server 1 and 2
NSIP="55.1.23.5 55.1.23.6"

Complete modified script:
Code:
#!/bin/bash
# BAD IPS FILE all ip in this file are drooped
BADIPS="$(cat /root/allbadips.txt|grep -v -E '^#')"

# setup ALL your IPS here 
myIP="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"

# Setup VPS main IP here
ip="xxx.xxx.xxx.xxx"

# ISP name server 1 and 2
NSIP="ns1_IP  ns2_IP" 

# stop RedHAT linux iptables
service  iptables stop

# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow unlinited traffic on both lo and venet0
iptables -A INPUT  -i venet0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT

iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
#
# Block all those BAD IPs 
#
for ipb in $BADIPS
do
    iptables -A INPUT -s $ipb -j DROP
    iptables -A OUTPUT -d $ipb -j DROP
done

# Stop  flood 
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP

# Spoofing and bad addresses
# Bad incoming source ip address i.e server IP drop all here
for myip in $myIPS
do
    iptables -A INPUT -s $myip -j DROP
done

# Drop all incoming fragments
iptables -A INPUT -f -j DROP

# Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Bad incoming source ip address 0.0.0.0/8
iptables -A INPUT -s 0.0.0.0/8 -j DROP

# Bad incoming source ip address 127.0.0.0/8
iptables -A INPUT -s 127.0.0.0/8 -j DROP

# Bad incoming source ip address 10.0.0.0/8
iptables -A INPUT -s 10.0.0.0/8 -j DROP

# Bad incoming source ip address 172.16.0.0/12
iptables -A INPUT -s 172.16.0.0/12 -j DROP

# Bad incoming source ip address 192.168.0.0/16
iptables -A INPUT -s 192.168.0.0/16 -j DROP

# Bad incoming source ip address 224.0.0.0/3
iptables -A INPUT -s 224.0.0.0/3 -j DROP

#Open Port 80 
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT

#Open Port 443
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT

#Open Port 25
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT

#Open port 22 for all
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT

# Outgoing DNS
# udp first
#ip="your_main_IP"
for mip in $NSIP
do
  iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
  # tcp next
  iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
done

#outgoing SMTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT

#outgoin SSH
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip  --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $ip --dport 513:65535 -j ACCEPT

# Okay Drop everything from here :D 
iptables -A INPUT -s 0/0 -j DROP
iptables -A OUTPUT -d 0/0 -j DROP
Save and run script:
Code:
chmod +x /root/fw.start
/root/fw.start
If they are using too many dynamic ips it may become hard for VPS to block and handle all IPS. But try out above and let us know the details.
__________________
Rocky Jr.
You may have my body & soul, but you will never touch my pride!

If you have knowledge, let others light their candles at it.

Certified to work on HP-UX / Sun Solaris / RedHat
Reply With Quote