Mitigating DDOS and Active Hacking Attempts

4 posts / 0 new
Last post
#1 Sat, 02/03/2018 - 23:56
Shinzan

Mitigating DDOS and Active Hacking Attempts

So I came to Virtualmin from VHCS then ICP Omega then IMSCP so I've been using open source control panels for a while and two things:

1) This project is great, and has great people running it and a great community 2) I have been plagued with CPU Spikes from time to time which I can't explain

Well after really diving into this for about a year and with some help from support tickets I think i've finally arrived at the point that these are DDOS attacks

They come on fast last a day or two days or less then miaculously clear up.

The load on the server could be 1.5 to 129!!!! with a 1.9 Xeon 6 cores!

So I looked into Comodo and then Cloudflare but I dont know how many of you all are using ConfigServer Security & Firewall but I recommend it highly, it works with Virtualmin.

Easy to ban IPs you can set it up to auto ban ips based on criteria. But the thing I like the most is Ban all countries explicate or implicate.

Once installed if you are under attack you can dissallow all connections except by your home country, simplly with one line in the csf.conf

Just wanted to share it with the community!

David

This a piece of that file

# Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
# and entirely relies on that service being available
#
# Specify the the two-letter ISO Country Code(s). The iptables rules are for
# incoming connections only
#
# Additionally, ASN numbers can also be added to the comma separated lists
# below that also list Country Codes. The same WARNINGS for Country Codes apply
# to the use of ASNs. More about Autonomous System Numbers (ASN):
# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
#
# You should consider using LF_IPSET when using any of the following options
#
# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
# non-geographic IP address designations for their clients
#
# WARNING: Some of the CIDR lists are huge and each one requires a rule within
# the incoming iptables chain. This can result in significant performance
# overheads and could render the server inaccessible in some circumstances. For
# this reason (amongst others) we do not recommend using these options
#
# WARNING: Due to the resource constraints on VPS servers this feature should
# not be used on such systems unless you choose very small CC zones
#
# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
# preferred
#
# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
CC_DENY = ""
CC_ALLOW = ""

# An alternative to CC_ALLOW is to only allow access from the following
# countries but still filter based on the port and packets rules. All other
# connections are dropped
CC_ALLOW_FILTER = ""
Sun, 02/04/2018 - 05:46
Diabolico
Diabolico's picture

You cant prevent a DDoS with any software and only solution is hardware protection and a lot of bandwidth. Thats why DDoS protection isnt cheap. This is a fact just to make this part clear. What you can do is prevent bruteforce and/or hacking attempts and for this is enough Fail2Ban, CSF or some other similar software. Banning IP's during DDoS will do no good as all of them will still hit your server and overload your firewall what as consequence will overload your CPU... and the chain reaction will unroll making your server unresponsive. More rules (IP's) you have inside your firewall more of the CPU will be used, because each time IP try to connect your server must check that IP against all the rules before accepting or blocking this connection.

During a real DDoS attack the amount of IP's hitting your server can reach thousands of them per second making even more requests per second. When this happens server CPU will immediately overload crashing almost anything installed on the server... including any software used as protection (F2B, CSF, modsecurity...).

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 02/04/2018 - 10:16 (Reply to #2)
Shinzan

Well that sucks then so the only solution is to use a service like Comodo or Cloudflare or something like that?

Is it just a matter of letting them take over DNS Name Servers then at the Registrar level?

How do I stop a DDOS that is just straight attacking my ip and not a website?

Mon, 02/05/2018 - 11:31
Diabolico
Diabolico's picture

How do I stop a DDOS that is just straight attacking my ip and not a website?

OVH and Hetzner have DDoS protection as part of their offer, e.g. no need to pay anything extra for that. But keep in mind this isnt the top DDoS protection on the market. They are almost same in quality, still i think OVH is slightly better than Hetzner because of better network. This are the two cheapest hosting companies that i know who offer "decent" DDoS protection but forget any support if the problem isnt hardware or network failure, e.g. no hand holding one bit.

For real DDoS protection be prepared to pay 1000-2000$+/month for just one protected IP... if you really want best of the best. But i think the DDoS protection from earlier mentioned hosting companies should be enough for you.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Topic locked