Posted by: Mangesh_Linux_Administrator | November 25, 2010

Prevent Apache From DDoS Attacks


Implement security features in your server like:

1) DDOS protection using CSF through “SYNFLOOD”.
2) Install apache modules like mod_dosevasive and mod_security in your server.
3) The best,free & open sources solution to protect from DDOs :- http://deflate.medialayer.com/
4) Configure APF and IPTABLES to reduce the DDOS.

Description here :-
1.) DDOS protection using CSF through “SYNFLOOD”. & Connection tracking :- Please modify these option through CSF
:-
# Enable SYN Flood Protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for the correct –limit rate syntax
SYNFLOOD
SYNFLOOD is disabled by default. If you are not receiving any sort of attack, there is no need to enable it. If you are expecting an attack, enable it and set the rules a bit strict, like
SYNFLOOD = “1″
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “10″
i.e. if 30 connections are received from an IP/sec for 10 times, block it. Make sure don’t keep it too strict if you are not receiving an attack else it will generate false positives and will block legit connections.
PORTFLOOD
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300
ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.
PORTFLOOD = 80;tcp;100;5,22;tcp;5;300
ie, If an IP makes 100 connections in 5 sec to port 80 (tcp), then it will be blocked from the server and if 5 connections in 300 sec to 22 port.

# Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It’s entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 300.
#
# To disable this feature, set this to 0
CT_LIMIT = Default: 50 (means 50 connections per ip address)
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = Default: 30
# Send an email alert if an IP address is blocked due to connection tracking
CT_EMAIL_ALERT = Default: 1
# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = Default: 0
# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = Default: 1800
# If you don’t want to count the TIME_WAIT state against the connection count
# then set the following to “1″
CT_SKIP_TIME_WAIT = Default: 0
# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. “SYN_RECV,TIME_WAIT”
#
# Leave this option empty to count all states against CT_LIMIT
CT_STATES =
# If you only want to count specific ports (e.g. 80,443) then add the ports
# to the following as a comma separated list. E.g. “80,443″
#
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = 80,443

======================================================
2) Install apache modules like mod_dosevasive and mod_security in your server= :-

mod_evasive and mod_security modules are used to secure Apache Web Server from DDoS and brute force attacks by implementing web application firewall.

The mod_evasive authoring site (zdziarski.com) states that mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera..

*Note: mod_evasive module has been known to cause problems with frontpage server extensions. If you use frontpage server extension, you should thoroughly test your mod_evasive installation before deploying a production server.

[root@map007~]# cd  /usr/local

[root@map007 local]#  wget http://www.zdziarski.com/blog/wp-content/uploads/2010/02/mod_evasive_1.10.1.tar.gz
[root@map007 local]# tar -xvzf mod_evasive_1.10.1.tar.gz
[root@map007 local]#  cd mod_evasive
[root@map007 mod_evasive]#  /usr/local/apache/bin/apxs -cia mod_evasive.c
[root@map007 mod_evasive]# mv mod_evasive.loT mod_evasive.lo
[root@map007 mod_evasive]# /usr/local/apache/bin/apxs -cia mod_evasive.c
[root@map007 mod_evasive]#  httpd -M|grep evasive

Edit httpd.conf with the following details
[root@map007 mod_evasive]# vi /etc/httpd/conf/httpd.conf

<IfModule mod_evasive20.c>
DOSHashTableSize   3097
DOSPageCount   2
DOSSiteCount   50
DOSPageInterval   1
DOSSiteInterval   1
DOSBlockingPeriod   600
</IfModule>

[root@map007 mod_evasive]# cd /usr/local/apache/modules/
Then download mod_evasive20.so through web and place it in modules directory and change the permission with 755.

[root@map007 ~]#  /etc/init.d/httpd restart

======================================================

3) The best,free & open sources solution to protect from DDOs :-

http://deflate.medialayer.com/ :-

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server’s firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)
Notable Features :-

* It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
* Simple configuration file: /usr/local/ddos/ddos.conf
* IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
* The script can run at a chosen frequency via the configuration file (default: 1 minute)
* You can receive email alerts when IP addresses are blocked.

Installation :-

[root@map007 ~]# wget http://www.inetbase.com/scripts/ddos/install.sh
[root@map007 ~]# chmod 0700 install.sh
[root@map007 ~]# ./install.sh

Uninstallation :-

[root@map007 ~]# wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
[root@map007 ~]# chmod 0700 uninstall.ddos
[root@map007 ~]# ./uninstall.ddos

4) Configure APF and IPTABLES to reduce the DDOS.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: