Looking for some DDOS protection tool, what do you use, how did you configured it?

10 posts / 0 new
Last post
#1 Wed, 11/12/2014 - 02:32
fakemoth
fakemoth's picture

Looking for some DDOS protection tool, what do you use, how did you configured it?

Hey, well... lately I am getting random DOS attacks, nothing big but sometimes those are doing their job. It's not like a full blown DDOS, but a single IP, from time to time, tries this against my servers.

Let's start here a discussion about the best solution and how can one implement it. What I tried:

-DDOS deflate: ancient script, still working nothing to do with it's age; but it is very limited, basically just counts the connections (netstat) via a cron job and above a certain threshold it writes in iptables a DROP rule. Biggest problem - it is broken and you can't whitelist yourself, your big clients behind a single IP, you get it, you and your most important users have to suffer;

-Citadel: announced as a DDOS deflate replacement, exactly for the above reasons. But it just doesn't work, sometimes you get an email, but no rules in iptables; easy to install/configure but for some weird reason doesn't play nicely with me. Man, I mean... I asked a friend to DOS me and it just kept going :)

-Apaches mod_evasive: tried to configure, didn't work, I should get back to this one. But it's only for apache; can it write (I think not) a rule in iptables?

-Iptables: same concept, it allows a predefined number of connections, most of the people use that - problem is it can be pretty complex and on a busy server you get huge CPU loads, and as the list of the banned IPs grows (I also use Fail2Ban for SSH, SASL, Postfix, and Proftpd with multiport all protocols permanent ban, which really lowers the attack surface and uses a lot less resources) you need scripts to flush the rules - it doesn't cut it for me;

-Fail2BAN: again, nice little tool, watches the logs for multiple connections from the same IP, but it doesn't work for some reason with Virtualmins multiple paths to log files which is something like (default) /home/*/logs/access_log. In fact if I throw anywhere an * in the paths it stops working.

Is there any Open Source tool that I missed? One that runs on Centos 6.x with iptables? How do you people mitigate small DDOS (except for the obvious manual methods), without using a CDN and stuff?

Wed, 11/12/2014 - 15:12
andreychek

Howdy,

I'm hoping you receive some comments from folks using these tools -- it would be an excellent discussion!

I'll offer though that Virtualmin actually uses /var/log/virtualmin/ now for all the Apache log files. Anything in $HOME/logs/ is just a symlink pointing there. That change occurred a few years back, though if you have a system that's been running longer than that it's possible it's still using the old log file locations.

But that may make things easier for setting up fail2ban.

-Eric

Thu, 11/13/2014 - 01:09
fakemoth
fakemoth's picture

Yes indeed, it would be very usefull as DDOS it is the second problem online after brute force/dictionary attacks, which sometimes also result in a DOS. But given one with limited resources could hardly protect himself from a true DDOS attack, maybe it's the most important one.

First let me :-O :-O :-O because I don't have a virtualmin directory in /var/log/ ! And I am pretty sure I am on latest Centos 6.6 x86_64 fully updated, installed OS/Virtualmin/Cloudmin etc around 6.2-6.3. And using pretty much defaults to everything log related. I mean I didn't changed the location. Maybe (for sure) this is saved in backups and restored also, as I am using Virtualmin from its begginings.

Every access log is a file, not a symlink in /home/someuserhere/logs/access_log. And I love this BTW.

Using:

rpm -q fail2ban fail2ban-0.8.14-1.el6.noarch uname -a Linux ns1.blaaaaaaaa.ro 2.6.32-504.1.3.el6.x86_64 #1 SMP Tue Nov 11 17:57:25 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Don't take the name of root in vain...

Thu, 11/13/2014 - 09:30
andreychek

It looks like CentOS 6.2 came out a little over two years ago... so unfortunately, that was likely installed just before the new log locations :-/

With any new install, you should have a /var/log/virtualmin dir, and that solves a few different problems, including the one you're looking into here with using fail2ban.

-Eric

Thu, 11/13/2014 - 11:39
Joe
Joe's picture

I suspect it's pretty easy to move the logs to the new location and naming convention, though I've never done it before (we've got a couple of systems still using the old convention, but haven't run into the problems that caused the change as of yet). I might give it a go on one of them soon, to see if it's something that's easy to script.

--

Check out the forum guidelines!

Thu, 11/13/2014 - 13:08
andreychek

Howdy,

It actually is possible to migrate from the old logging system to the new one. There's a description of that process here in the section "Convert server using writelogs.pl to storing logs in /var/log/virtualmin/":

https://virtualmin.com/documentation/developer/cli_examples

Note that you'd also want to go into System Settings -> Server Templates -> Default -> Apache, and in there you would set the ErrorLog and CustomLog entries so that they look like this:

ErrorLog /var/log/virtualmin/${DOM}_error_log
CustomLog /var/log/virtualmin/${DOM}_access_log combined
Sat, 11/15/2014 - 10:03
fakemoth
fakemoth's picture

It's fine, I don't really need to move the logs. So what about the DDOS protection tools, what does the Virtualmin team use by the way?

Don't take the name of root in vain...

Sat, 11/15/2014 - 21:44 (Reply to #7)
Joe
Joe's picture

We have fail2ban deployed across some of our systems. And, I've got mod_security installed on some of the websites that are most sensitive web sites. But, neither is really gonna be effective against a strong DDoS coming from a big botnet.

I don't actually know what the current modern techniques for DDoS mitigation look like. It's not been a major problem we've experienced, so far; I guess if we were to be hit with one, we'd talk to CloudFlare (they were funded by Y Combinator, who we received a little money from many years ago, so I'd guess we can get a discount or at least extra nice treatment), until we could research and deploy an independent implementation or until the folks targeting us got tired of attacking an Open Source project. The closest thing to a DDoS we currently experience is people running overly aggressive mirrors of our software repositories (where they're downloading the whole thing every day, for example; one of these days I'll track them down and help them get it setup to rsync instead).

It's more on our radar lately (as you may note we've included a module for fail2ban in Webmin, and we're about to add packages for those systems that don't have it in their system repositories). It's a good tool within it's territory. Again, not really gonna mitigate a serious DDoS with firewall rules, but it'll help a bit, I guess.

--

Check out the forum guidelines!

Sun, 11/16/2014 - 00:56
fakemoth
fakemoth's picture

Yes of course I noticed the module, I am the one the lobbyed you to death with this one :) https://www.virtualmin.com/node/13841

OK - so there is one vote for Fail2Ban. Anyone using something else?

Don't take the name of root in vain...

Thu, 01/08/2015 - 08:59
fakemoth
fakemoth's picture

Wrote this also to the Linux Action Show and TechSNAP guys. And it made it to TechSNAP :) http://youtu.be/jmMI87tBCZA?t=57m

So the answer is... kinda' all of them plus a reccomendation for CSF; thought about trying this one, but I will do it when I'll reinstall the OS > CentOS 7.x

Don't take the name of root in vain...

Topic locked