APF + BFD + DDOS + Rootkit

powerdomein

Verified User
Joined
Dec 28, 2005
Messages
121
Guys,

For a good security on your server install the next modulen.

Mod Security: http://www.directadmin.com/forum/sh...perpage=20&highlight=modSecurity&pagenumber=1

APF = Firewall very easy to config
BFD + Ddos = Detect ddos attacts and blocks the IP
Rootkit= Seach your server for spy and junkware.

HOW TO :


For those who admin a server we all know the pain in the ass of kiddies trying their dos attacks and trying to brute your services. Some people will tell you there is no way to stop either 100% but there is. First and formost you should have a secure and sensible server configuration, you should not have any services running you do not need as the more services are active the more the chance of one being exploitable. Lots of people swear by the apache mod evasive but there are better alternatives as all mod evasive does is give the attacker a 403 error when they make too many requests too fast.

First off ssh to your server as root.
Code:
cd /usr/local/src

Code:
wget http://rfxnetworks.com/downloads/apf-current.tar.gz

Code:
tar -zxf apf-current.tar.gz

Code:
cd apf-0.*

Code:
./install.sh

This will install apf, then you need to set your config paramters

(continued)

Code:
pico -w /etc/apf/conf.apf

Scroll down to the "Common ingress (inbound) TCP ports section. At this point you need to find the correct configuration for your control panel.

-----DIrect Admin-----
IG_TCP_CPORTS="21,22,25,53,80,110,111,143,443,587953,2222,3306,32769"
IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"


Find the line for activating antidos, change it to on. Then

Code:
pico /etc/apf/ad/conf.antidos

Then Find devel mode, leave it to 1 to make sure you do not get blocked out, when you know everything is ok come back and turn it off.

There are various things you might want to fiddle with but I'll get the ones that will alert you by email.

# [E-Mail Alerts]
Under this heading we have the following:

# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts

# User for alerts to be mailed to
USR="[email protected]"
Enter your email address to receive the alerts

Save your changes! Ctrl+X then press Y
Then Start your firewall to make sure everything is ok.
Apf Usage:
usage apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

Now
Code:
cd /usr/src
Code:

wget http://www.r-fx.ca/downloads/bfd-current.tar.gz

Code:
tar -zxf bfd-current.tar.gz

Code:
./install.sh

The configuration file for BFD is located at '/usr/local/bfd/conf.bfd'; it is
very straight forward and the comments in themself explain what each option
is for. Of the options, you should idealy configure the ALERT_USR toggle to
enable or disable user email alerts and likewise in conjunction configure the
EMAIL_USR var with your email addresses you would like to receive alerts at.

An ignore file is present at '/usr/loca/bfd/ignore.hosts'; this is a line
seperated file to place hosts into that you would like to be ignored for
authentication failures. An internal function will attempt to fetch all
local ip's bound on the installed system and there-in internally ignore
events appearing to be from such addresses.

Now go back to /usr/src

Code:
cd /usr/src

Code:
wget http://www.inetbase.com/scripts/ddos/install.sh

Code:
sh install.sh

The config file is in /usr/local/ddos/ddos.conf , set your max connections, alert and such in there.

The usage is pretty self explanatory

Usage: ddos.sh [OPTIONS] [N]
N : number of tcp/udp connections (default 150)
OPTIONS:
-h | --help: Show this help screen
-c | --cron: Create cron job to run this script regularly (default 1 mins)
-k | --kill: Block the offending ip making more than N connections

Congratulations you now have dos and brute force protection and an easy to use firewall interface.

Rootkit:
How do I install Rootkit Hunter?
Download the gzipped tarball, extract it and run the installation script.

download:
# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz
Note: It doesn't matter where you save the tarball

extract:
# tar zxf rkhunter-<version>.tar.gz

installation:
# cd rkhunter
# ./installer.sh


(Source: http://www.evolution-security.com/)
(Source: http://www.rootkit.nl/articles/rootkit_hunter_faq.html)
 
Last edited:
antidos
sample here http://forums.rfxnetworks.com/viewtopic.php?t=809

Lot of admin, including my external support, say it will slow down your server, make higher load, and has several bugs especially the TRIG option. So they recommend to install APF+BFD but not antidos. I have this configuration.

For apache you have a lot of module for dos and security.
 
use dos deflate for anti dos, mod evasive is only for the lightest socket floods or use them both, I do
 
Kiss Version 2.0 ready to use in CentOS 4
cd /usr/bin/
wget http://www.web4host.net/tools/kiss
chmod 700 kiss
chown root:root

That's it! To get it running anywhere on the command line, you simply type:
kiss start
To stop the firewall, type:
kiss stop
To get status information, type:
kiss status
If you want to block an offenders IP address/subnet, simply edit the BLOCK_LIST variable in the /usr/bin/kiss file. You can separate IP addresses and subnet's with a space. Once you are finished, simply restart KISS by typing:
kiss restart

here you can fine Version 2.1
http://www.geocities.com/steve93138/


Wael
 
If you ever have problems with dos or want to easily admin your firewall I think apf is the way to go. More of an opinion thing but Id like to say Im only on pentium 4 3.2ghz, 1 gig ram server with steady traffic and I have Turkey, Brazil, China, and most of Russia banned along with all the dshield updates, reseved ips and private networks, and It never ever raises my load
 
felosi said:
If you ever have problems with dos or want to easily admin your firewall I think apf is the way to go. More of an opinion thing but Id like to say Im only on pentium 4 3.2ghz, 1 gig ram server with steady traffic and I have Turkey, Brazil, China, and most of Russia banned along with all the dshield updates, reseved ips and private networks, and It never ever raises my load
when your server gone
netstat -nt | grep :80 -c
2578
You need to restart APF in corn to keep firwall work fine or you will see error page in all site:)

mod_evasive work batter then APF Antidos

Wael
 
Last edited:
@how@ said:


True :) , it has been a while I installed this , but the good news is that it never gave me problems. So I would say , go for kiss if you want to keep it simple ...

Regards,
Ed,
 
You also might want to add TCP port : 587
(alternative port for exim)
 
I see that my servers under ssh attack.

I get every day one or more Brute Force Attack emails with different IP which tried to get SSH access like root, admin, test, guest. I see also that they are about 40 or 60 min. busy to try login and password and the system dont banned them immidetly but 40 of 60 min later.

How can i change the config files ( which files?), that people only trys 5 times t oget access on SSH and if by using wrong (fake) info, they wil be banned. OR when tried in 5 min. continu with wrong username or password also banned.?

let it know ?
 
Last edited:
You can set the TRIGGER in usr/local/bfd/rules/sshd
#TRIG="10"
TRIG="3"
... but you have to wait the blocking job of BFD (cron time bfd 4 minutes) so it is possible they tryed a lot of time beetween 2 check

You can change sshd config too, allow only one ip at the time, reduce login time, restrict ip, make a delay...

You can try http://denyhosts.sourceforge.net/

You can use knock
http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki

You can change ssh port

possible i forget some evident idea ;-)
 
powerdomein said:

How can i change the config files ( which files?), that people only trys 5 times t oget access on SSH and if by using wrong (fake) info, they wil be banned. OR when tried in 5 min. continu with wrong username or password also banned.?

let it know ?

Don't know about this , but what I did is change the default port 22 to another one in /etc/ssh/sshd_config (don't forget to update your firewall if you have one , otherwise you will lock yourself out)

Ed,
 
Back
Top