nixCraft

deltamails · #1 (**permalink**) 11-23-2006, 01:48 PM

we are facing DDOS attack on VPS. And datacenter can not help in it. It's on port80.
Mod_evasive is installed but its not enough.
i tried script
http://bash.cyberciti.biz/security/v...cript.bash.php

When I start this script it blocks all the ports and services. I have made all the changes for IP in script but it's not working.
How can I make this script work on VPS and block IP's through it.

Operating system is CentOS 4.3
Please suggest.
Thanks.

rockdalinux · #2 (**permalink**) 11-23-2006, 03:09 PM

Hello,

Sorry to hear about your problem. If you just need to block IPs try something as follows which is modified from original script.

First create file /root/allbadips.txt and append all bad ips to this file.

Now create script as follows called /root/fw.start. Setup it as follows:
Setup all VPS IPS separated by a black space, if you have 3 ips such as 202.51.1.1, 202.51.1.2 and 202.51.1.3

Code:

myIP="202.51.1.1 202.51.1.2  202.51.1.3"

Setup VPS main IP here which is bind to Apache port 80, if it is 202.51.1.3

Code:

ip="202.51.1.3"

Setup your DNS name server IPS, if it is 55.1.23.5 and 55.1.23.6
# ISP name server 1 and 2
NSIP="55.1.23.5 55.1.23.6"

Complete modified script:

Code:

#!/bin/bash
# BAD IPS FILE all ip in this file are drooped
BADIPS="$(cat /root/allbadips.txt|grep -v -E '^#')"

# setup ALL your IPS here 
myIP="xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx"

# Setup VPS main IP here
ip="xxx.xxx.xxx.xxx"

# ISP name server 1 and 2
NSIP="ns1_IP  ns2_IP" 

# stop RedHAT linux iptables
service  iptables stop

# Setting default filter policy DROP ALL :D
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow unlinited traffic on both lo and venet0
iptables -A INPUT  -i venet0 -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT

iptables -A INPUT  -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
#
# Block all those BAD IPs 
#
for ipb in $BADIPS
do
    iptables -A INPUT -s $ipb -j DROP
    iptables -A OUTPUT -d $ipb -j DROP
done

# Stop  flood 
iptables -N flood
iptables -A INPUT -p tcp --syn -j flood
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A flood -j DROP

# Spoofing and bad addresses
# Bad incoming source ip address i.e server IP drop all here
for myip in $myIPS
do
    iptables -A INPUT -s $myip -j DROP
done

# Drop all incoming fragments
iptables -A INPUT -f -j DROP

# Drop all incoming malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# Drop all incoming malformed NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Bad incoming source ip address 0.0.0.0/8
iptables -A INPUT -s 0.0.0.0/8 -j DROP

# Bad incoming source ip address 127.0.0.0/8
iptables -A INPUT -s 127.0.0.0/8 -j DROP

# Bad incoming source ip address 10.0.0.0/8
iptables -A INPUT -s 10.0.0.0/8 -j DROP

# Bad incoming source ip address 172.16.0.0/12
iptables -A INPUT -s 172.16.0.0/12 -j DROP

# Bad incoming source ip address 192.168.0.0/16
iptables -A INPUT -s 192.168.0.0/16 -j DROP

# Bad incoming source ip address 224.0.0.0/3
iptables -A INPUT -s 224.0.0.0/3 -j DROP

#Open Port 80 
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT

#Open Port 443
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT

#Open Port 25
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT

#Open port 22 for all
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d $ip --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -s $ip --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT

# Outgoing DNS
# udp first
#ip="your_main_IP"
for mip in $NSIP
do
  iptables -A OUTPUT -p udp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p udp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
  # tcp next
  iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d $mip --dport 53 -j ACCEPT
  iptables -A INPUT -p tcp -s $mip --sport 53 -d $ip --dport 1024:65535 -j ACCEPT
done

#outgoing SMTP
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d $ip --dport 1024:65535 -j ACCEPT

#outgoin SSH
#ip="your_main_IP"
iptables -A OUTPUT -p tcp -s $ip  --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 22 -d $ip --dport 513:65535 -j ACCEPT

# Okay Drop everything from here :D 
iptables -A INPUT -s 0/0 -j DROP
iptables -A OUTPUT -d 0/0 -j DROP

Save and run script:

Code:

chmod +x /root/fw.start
/root/fw.start

If they are using too many dynamic ips it may become hard for VPS to block and handle all IPS. But try out above and let us know the details.

monk · #3 (**permalink**) 11-23-2006, 03:25 PM

Theres not much you can do except block IPS. But VPS has many restrictions such as limited availability of iptables rules and memory limites. Try out above rules.

Your best option is to ask your service provider to migrate DDoS attack.

tom · #4 (**permalink**) 11-23-2006, 03:30 PM

What kind of attack? Is this syn floods with dynamic IPs? It is very hard to track where an attack comes from because of bots controlled by attackers and they change IPs every 30 minute or an hour.

As suggested by monk it is better to use DDoS filtering service.

Good luck.

deltamails · #5 (**permalink**) 11-23-2006, 04:25 PM

Hello,
Thanks everyone for reply.
I made script and ran it

output is

Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
iptables: No chain/target/match by that name

rockdalinux · #6 (**permalink**) 11-23-2006, 04:31 PM

It appears that few modules are not loaded by your service provider. What is the output of following command?

Code:

iptables -L -n

Also run following command and find out when you see error iptables: No chain/target/match by that name - so that we can add or remove rules to VPS

Code:

sh -x fw.start

deltamails · #7 (**permalink**) 11-23-2006, 04:40 PM

# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

------------------------------++
g[root@jupiter ~]# sh -x fw.start
++ cat /root/allbadips.txt
++ grep -v -E '^#'
+ BADIPS='81.170.239.78
69.115.181.157
85.147.68.248
84.145.173.106
69.115.181.157
85.147.68.248
84.145.173.106
69.231.44.193
80.100.68.193
213.173.255.181
84.168.52.36
84.168.19.66
84.168.40.44
84.168.31.17
193.217.29.213'
+ myIP=66.235.251.194
+ ip=66.235.251.194
+ NSIP='66.235.251.138 66.235.251.141'
+ service iptables stop
+ iptables -P INPUT DROP
+ iptables -P OUTPUT DROP
+ iptables -P FORWARD DROP
+ iptables -A INPUT -i venet0 -s 127.0.0.1 -j ACCEPT
+ iptables -A OUTPUT -o venet0 -d 127.0.0.1 -j ACCEPT
+ iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
+ iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 81.170.239.78 -j DROP
+ iptables -A OUTPUT -d 81.170.239.78 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 69.115.181.157 -j DROP
+ iptables -A OUTPUT -d 69.115.181.157 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 85.147.68.248 -j DROP
+ iptables -A OUTPUT -d 85.147.68.248 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 84.145.173.106 -j DROP
+ iptables -A OUTPUT -d 84.145.173.106 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 69.115.181.157 -j DROP
+ iptables -A OUTPUT -d 69.115.181.157 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 85.147.68.248 -j DROP
+ iptables -A OUTPUT -d 85.147.68.248 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 84.145.173.106 -j DROP
+ iptables -A OUTPUT -d 84.145.173.106 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 69.231.44.193 -j DROP
+ iptables -A OUTPUT -d 69.231.44.193 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 80.100.68.193 -j DROP
+ iptables -A OUTPUT -d 80.100.68.193 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 213.173.255.181 -j DROP
+ iptables -A OUTPUT -d 213.173.255.181 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 84.168.52.36 -j DROP
+ iptables -A OUTPUT -d 84.168.52.36 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 84.168.19.66 -j DROP
+ iptables -A OUTPUT -d 84.168.19.66 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 84.168.40.44 -j DROP
+ iptables -A OUTPUT -d 84.168.40.44 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 84.168.31.17 -j DROP
+ iptables -A OUTPUT -d 84.168.31.17 -j DROP
+ for ipb in '$BADIPS'
+ iptables -A INPUT -s 193.217.29.213 -j DROP
+ iptables -A OUTPUT -d 193.217.29.213 -j DROP
+ iptables -N flood
+ iptables -A INPUT -p tcp --syn -j flood
+ iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables: No chain/target/match by that name
+ iptables -A flood -j DROP
+ iptables -A INPUT -f -j DROP
+ iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
+ iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+ iptables -A INPUT -s 0.0.0.0/8 -j DROP
+ iptables -A INPUT -s 127.0.0.0/8 -j DROP
+ iptables -A INPUT -s 10.0.0.0/8 -j DROP
+ iptables -A INPUT -s 172.16.0.0/12 -j DROP
+ iptables -A INPUT -s 192.168.0.0/16 -j DROP
+ iptables -A INPUT -s 224.0.0.0/3 -j DROP
+ iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 66.235.251.194 --dport 80 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 80 -d 0/0 --dport 1024:65535 -j ACCEPT
+ iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 66.235.251.194 --dport 443 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 443 -d 0/0 --dport 1024:65535 -j ACCEPT
+ iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 66.235.251.194 --dport 25 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 25 -d 0/0 --dport 1024:65535 -j ACCEPT
+ iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 66.235.251.194 --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 22 -d 0/0 --dport 513:65535 -j ACCEPT
+ for mip in '$NSIP'
+ iptables -A OUTPUT -p udp -s 66.235.251.194 --sport 1024:65535 -d 66.235.251.138 --dport 53 -j ACCEPT
+ iptables -A INPUT -p udp -s 66.235.251.138 --sport 53 -d 66.235.251.194 --dport 1024:65535 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 1024:65535 -d 66.235.251.138 --dport 53 -j ACCEPT
+ iptables -A INPUT -p tcp -s 66.235.251.138 --sport 53 -d 66.235.251.194 --dport 1024:65535 -j ACCEPT
+ for mip in '$NSIP'
+ iptables -A OUTPUT -p udp -s 66.235.251.194 --sport 1024:65535 -d 66.235.251.141 --dport 53 -j ACCEPT
+ iptables -A INPUT -p udp -s 66.235.251.141 --sport 53 -d 66.235.251.194 --dport 1024:65535 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 1024:65535 -d 66.235.251.141 --dport 53 -j ACCEPT
+ iptables -A INPUT -p tcp -s 66.235.251.141 --sport 53 -d 66.235.251.194 --dport 1024:65535 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 1024:65535 -d 0/0 --dport 25 -j ACCEPT
+ iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 66.235.251.194 --dport 1024:65535 -j ACCEPT
+ iptables -A OUTPUT -p tcp -s 66.235.251.194 --sport 513:65535 -d 0/0 --dport 22 -j ACCEPT
+ iptables -A INPUT -p tcp -s 0/0 --sport 22 -d 66.235.251.194 --dport 513:65535 -j ACCEPT
+ iptables -A INPUT -s 0/0 -j DROP
+ iptables -A OUTPUT -d 0/0 -j DROP
------------------

rockdalinux · #8 (**permalink**) 11-23-2006, 04:47 PM

It appears that vps is not loaded with iptables syn module or support is not included. Just remove following 4 lines from script and reload again

Code:

# Stop  flood 
iptables -N flood 
iptables -A INPUT -p tcp --syn -j flood 
iptables -A flood -m limit --limit 1/s --limit-burst 3 -j RETURN 
iptables -A flood -j DROP

Just start fw again

Code:

/root/fw.start

Verify that iptables loaded

Code:

iptables -L -n

deltamails · #9 (**permalink**) 11-23-2006, 06:30 PM

[root@jupiter ~]# ./fw.start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
[root@jupiter ~]# service httpd start

-------------------------------------------------
[root@jupiter ~]#
[root@jupiter ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 127.0.0.1 0.0.0.0/0
DROP all -- 81.170.239.78 0.0.0.0/0
DROP all -- 69.115.181.157 0.0.0.0/0
DROP all -- 85.147.68.248 0.0.0.0/0
DROP all -- 84.145.173.106 0.0.0.0/0
DROP all -- 69.115.181.157 0.0.0.0/0
DROP all -- 85.147.68.248 0.0.0.0/0
DROP all -- 84.145.173.106 0.0.0.0/0
DROP all -- 69.231.44.193 0.0.0.0/0
DROP all -- 80.100.68.193 0.0.0.0/0
DROP all -- 213.173.255.181 0.0.0.0/0
DROP all -- 84.168.52.36 0.0.0.0/0
DROP all -- 84.168.19.66 0.0.0.0/0
DROP all -- 84.168.40.44 0.0.0.0/0
DROP all -- 84.168.31.17 0.0.0.0/0
DROP all -- 193.217.29.213 0.0.0.0/0
DROP all -f 0.0.0.0/0 0.0.0.0/0
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
DROP all -- 0.0.0.0/8 0.0.0.0/0
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 224.0.0.0/3 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 66.235.251.194 tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 66.235.251.194 tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 66.235.251.194 tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 0.0.0.0/0 66.235.251.194 tcp spts:513:65535 dpt:22
ACCEPT udp -- 66.235.251.138 66.235.251.194 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 66.235.251.138 66.235.251.194 tcp spt:53 dpts:1024:65535
ACCEPT udp -- 66.235.251.141 66.235.251.194 udp spt:53 dpts:1024:65535
ACCEPT tcp -- 66.235.251.141 66.235.251.194 tcp spt:53 dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 66.235.251.194 tcp spt:25 dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 66.235.251.194 tcp spt:22 dpts:513:65535
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 127.0.0.1
ACCEPT all -- 0.0.0.0/0 127.0.0.1
DROP all -- 0.0.0.0/0 81.170.239.78
DROP all -- 0.0.0.0/0 69.115.181.157
DROP all -- 0.0.0.0/0 85.147.68.248
DROP all -- 0.0.0.0/0 84.145.173.106
DROP all -- 0.0.0.0/0 69.115.181.157
DROP all -- 0.0.0.0/0 85.147.68.248
DROP all -- 0.0.0.0/0 84.145.173.106
DROP all -- 0.0.0.0/0 69.231.44.193
DROP all -- 0.0.0.0/0 80.100.68.193
DROP all -- 0.0.0.0/0 213.173.255.181
DROP all -- 0.0.0.0/0 84.168.52.36
DROP all -- 0.0.0.0/0 84.168.19.66
DROP all -- 0.0.0.0/0 84.168.40.44
DROP all -- 0.0.0.0/0 84.168.31.17
DROP all -- 0.0.0.0/0 193.217.29.213
ACCEPT tcp -- 66.235.251.194 0.0.0.0/0 tcp spt:80 dpts:1024:65535
ACCEPT tcp -- 66.235.251.194 0.0.0.0/0 tcp spt:443 dpts:1024:65535
ACCEPT tcp -- 66.235.251.194 0.0.0.0/0 tcp spt:25 dpts:1024:65535
ACCEPT tcp -- 66.235.251.194 0.0.0.0/0 tcp spt:22 dpts:513:65535
ACCEPT udp -- 66.235.251.194 66.235.251.138 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 66.235.251.194 66.235.251.138 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 66.235.251.194 66.235.251.141 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 66.235.251.194 66.235.251.141 tcp spts:1024:65535 dpt:53
ACCEPT tcp -- 66.235.251.194 0.0.0.0/0 tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 66.235.251.194 0.0.0.0/0 tcp spts:513:65535 dpt:22
DROP all -- 0.0.0.0/0 0.0.0.0/0
[root@jupiter ~]#