Tuesday, November 10, 2009

HOWTO: Setup Ubuntu as a wireless router

SkyHi @ Tuesday, November 10, 2009
Update: this is now working.
It looks like my issue with bridging was and is a hardware issue.
The Atheros card will not come on-line after a reboot, but will come up on a hard power cycle.

My first How To, and it is kind of long.

Basically I was sick of my Linksys router being to slow and I decided I wanted some more power.

This took a long time to work through and get running. Hopefully I got it all.

First off you will need a spare machine, some NICs and a lot of patience. Also a working knowledge of nano and the console would be nice.

My Hardware Specs:
Old Micron Desktop Computer with everything onboard/built in
Celeron 400 MHZ
384mb RAM
40GB HDD
Atheros based cheap wireless NIC from Compusa
2 Realtek 10/100 NICs

I chose the Atheros card because it was laying around in storage gathering dust. I also have a nice 10db antenna that hooks up to it.

For comments or complaints email me.
pedalwrench007 at gmail dot com

Here goes and have fun:

GOAL

To have a seamless replacement for my Linksys WRT54G with more wireless range and more control.

INITIAL

Install the basic Ubuntu Server [NO DNS or LAMP]
Enable the Universe Repo
apt-get update

Since this is a long How to you should just be root to config the server.

type the command:
Code:

sudo su -

and enter your password...

SETUP THE NETWORK
3 interface setup

my eth0 is broken and on-board so I had to add a card [YMMV]
eth1 is the WAN interface (gateway)
eth2 is the LAN interface
ath0 is the wireless card
br0 is the bridged connection of ath0 and eth2

Setup bridging
Code:

apt-get install bridge-utils

Then edit the network config
Code:

nano /etc/network/interfaces

Code:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

#MY BROKEN INTERFACE (3com on-board)
#auto eth0
#iface eth0 inet dhcp
#pre-up iptables-restore < /etc/iptables.conf

# Gateway
# You should set this to DHCP if your cable/DSL ISP provides it.
# the "pre-up" command brings up the iptables "firewall"
# it is just set to static for testing purposes. see eth0 for DHCP setup.
auto eth1
iface eth1 inet static
address 192.168.1.17
netmask 255.255.255.0
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.conf

#Wireless Setup
auto ath0
iface ath0 inet manual
wireless-mode master
# CHANGE ME!!! to your own ESSID
wireless-essid pivotpoint

#Bridge interface
auto br0
iface br0 inet static
address 10.1.1.1
network 10.1.1.0
netmask 255.255.255.0
broadcast 10.1.1.255
bridge-ports eth2 ath0

WIFI SETUP

Atheros card setup for routing
[resource = https://help.ubuntu.com/community/Router/Madwifi]
You have to install the Source to get the driver into Master mode for a WAP

Code:

wget http://umn.dl.sourceforge.net/sourceforge/madwifi/madwifi-0.9.2.1.tar.gz
tar -xvzf madwifi-0.9.2.1.tar.gz
cd madwifi-0.9.2.1
apt-get install build-essential linux-headers-server
make
make install

Edit your kernel modules loaded at boot time:

Code:

nano /etc/modprobe.d/madwifi

add this to make sure the wireless card goes into Master mode:

Code:

options ath_pci autocreate=ap

FIREWALL

run these commands:
[resource = https://help.ubuntu.com/6.10/ubuntu/...iguration.html ]

[NOTE: ETH1 is the gateway interface. YMMV]

Code:

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j MASQUERADE
iptables -A FORWARD -s 10.1.1.0/24 -o eth1 -j ACCEPT
iptables -A FORWARD -d 10.1.1.0/24 -m state --state ESTABLISHED,RELATED -i eth1 -j ACCEPT

for logging add:

Code:

iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "

The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log.

save to /etc/iptables.conf

Code:

iptables-save > /etc/iptables.conf

NOTE: This is a basic setup that only routes NAT packets. Please read up on firewalli
ng to protect your machine.

# Enable packet forwarding in the Kernel

Code:

nano /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
Code:

net.ipv4.conf.forwarding=1


NOTE: Ubuntu has this for default:
#net.ipv4.conf.default.forwarding=1

Make sure you remove the word "default." there is no need for it

DHCP SERVER SETUP

A basic 10 machine DHCP server. Nothin' fancy

Install DHCP server:
Code:

apt-get install dhcpd

Config the server:
Code:

nano /etc/dhcpd.conf

Code:

# MY BASIC CONFIG /etc/dhcpd.conf

default-lease-time 600;
max-lease-time 7200;

#CHANGE THIS TO YOUR DNS SERVERS
option domain-name-servers 68.87.69.146, 67.87.85.98;
option domain-name "youdomainnamehere.com";

#Subnet for DHCP Clients
subnet 10.1.1.0 netmask 255.255.255.0 {
# range of 10 machines
range 10.1.1.50 10.1.1.60;
option subnet-mask 255.255.255.0;
option broadcast-address 10.1.1.255;
option routers 10.1.1.1;
}

You also need to edit /etc/default/dhcp file to specify the interfaces dhcpd
should listen to. By default it listens to eth0. We need to only have it listen to our local NIC {br0}

Code:

nano /etc/default/dhcp

Then add br0 like so:

Code:

INTERFACES="br0"

INSTALL MONITORING

Darkstat

Stats with a http server

Code:

apt-get install darkstat

edit the config

Code:

nano /etc/darkstat/init.cfg

Code:

# Turn this to yes when you have configured the options below.
START_DARKSTAT=yes

# Don't forget to read the man page.

# You must set this option, else darkstat may not listen to
# the interface you want
INTERFACE="-i eth1"

PORT="-p 8888"
#BINDIP="-b 127.0.0.1"
#LOCAL="-l 10.1.1.0/24"
#FIP="-f 127.0.0.1"
#DNS="-n"
#SPY="--spy eth1"

To see this point a browser to http://10.1.1.1:8888

Saidar

a neat little ap that shows server usage

Code:

apt-get install saidar

then

Code:

saidar

OTHER OPTIONAL

Disabling IPv6 for some speed improvments


Code:

nano /etc/modprobe.d/aliases

Comment out this line:
Code:

alias net-pf-10 ipv6

Save the file then

Code:

nano /etc/modprobe.d/blacklist

Add this line:
Code:

blacklist ipv6

Save the file

FINISH

restart your computer. Hopefully everything worked. If so, back it up!

BACKUP

[Reference = http://doc.gwos.org/index.php/Backup_restore_system ]
Code:

sudo su -
cd /
tar cvpjf backup.tar.bz2 --exclude=/proc --exclude=/media --exclude=/mnt --exclude=/dev --exclude=/lost+found --exclude=/backup.tar.bz2 --exclude=/tmp --exclude=/sys /

You will then have a tar ball that is your server all wrapped up in a bundle.
Store in a cool dry place.

FUTURE GOALS

Add Squid, and DNS-Masq.
Add Port Forwarding


References:
https://help.ubuntu.com/community/Br...workInterfaces https://help.ubuntu.com/community/Ub...lessRouter/New
http://www.netfilter.org/documentati...ing-HOWTO.html http://www.debianadmin.com/monitor-y...th-saidar.html https://help.ubuntu.com/6.10/ubuntu/...e/C/index.html http://www.debianadmin.com/network-t...tu-system.html

VERSION:
0.1 3-11-2007 - Re-Write. Setup is a little different. Changed firewall config, deleted squid, and dns-masq.
0.0 3-4-2007 - Initial write-up
Last edited by pedalwrench; March 11th, 2007 at 04:53 PM.. Reason: Spell Check


Reference: http://ubuntuforums.org/showthread.php?t=376283

Monday, November 9, 2009

mod_evasive + IE problem

SkyHi @ Monday, November 09, 2009
Description

When server has mod_evasive installed and Xihna is used in Internet Explorer, then user IP is blocked by server and user can't use editor. This is caused by buggy IE loading images in javascript (it loads images at each request). mod_evasive protect from loading one url more often than 2-5 times on 2 second interval (depends on config). After counter is more than 2-5, user ip is blocked.

Solution: Slice images/ed_buttons_main.gif to be a one gif per button (and maybe other, but I found only this one).

Used version of editor:

Release: 0.931 (2007-05-16) Head: http://svn.xinha.python-hosting.com/trunk/XinhaCore.js Revision: 819 Last Changed By: ray


Reference: http://xinha.webfactional.com/ticket/1062

Trying to stop a DDoS

SkyHi @ Monday, November 09, 2009
Trying to stop a DDoS
Because a null-route to an ip is not a solution, it is a kludge.

1) it is based on real attacks.
2) there is not anything of theory, single part practice.

A--->Detecting the attack

1) using the command netstat


Code:
netstat -an | grep :80 | sortCode:
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'Code:
netstat -n -p|grep SYN_REC | wc -lCode:
netstat -lpn|grep :80 |awk '{print $5}'|sortCode:
netstat -an | grep :80 | awk '{ print $5 }' | awk -F: '{ print $1 }' | sort | uniq -c | sort -nAttack example SYN_RECV or SYN Flooding to the Apache (port 80).

Quote:
192. 168. 0. 3 are the ip of the Apache servant and 192. 168. 0. 105 are the ip of the" attacker."

Code:
tcp 0 0 192.168.0.3:80 192.168.0.5:60808 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60761 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60876 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60946 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60763 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60955 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60765 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60961 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60923 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61336 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61011 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60911 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60758 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60828 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61114 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61074 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60826 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60959 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60900 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60940 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60920 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60825 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60945 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60913 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61009 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60755 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60904 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61583 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60910 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60915 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60827 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61458 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60908 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61007 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60927 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60951 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60942 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61113 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60909 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60822 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60894 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60952 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60928 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60936 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60906 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61466 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60919 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60914 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60926 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60939 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60931 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60831 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60823 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60954 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60916 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60963 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60947 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61006 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60933 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60950 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60895 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60917 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61480 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60935 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60960 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60767 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60918 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60821 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61077 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60905 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61517 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60893 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60953 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60903 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61439 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61337 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61545 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61299 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61010 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60930 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60744 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60929 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60754 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61008 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61116 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60811 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60807 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60938 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60764 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60873 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60817 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61550 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60748 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60956 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60753 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61115 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60741 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61075 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60948 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60829 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60943 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61338 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60762 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60824 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60830 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61535 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60898 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60815 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60962 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60957 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60944 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60921 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60759 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60897 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61518 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60958 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60922 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60937 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60875 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60766 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60751 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60768 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60743 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:61076 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60912 SYN_RECV
tcp 0 0 192.168.0.3:80 192.168.0.5:60816 SYN_RECVexample of SYN Attack to the Apache.

2) looking at the server-status of the Apache

If we look at the server-status of the Apache we will see connections in state" Reading" (" R" Reading Request).

The problem is that when the number of connections" Reading" full the" MaxClients" of the Apache it doesn't accept new petitions, for that that the new clients, although they are legitimate, they won't be accepted.

We can increase the value of the" MaxClients" so that is not filled the line of petitions and accept all the clients, be attackers or no.

Another good measure is to lower the value of the" Timeout" of the Apache so that the petitions" Reading" they are" killed" quickly, before the MaxClients can be filled to its end.

3) looking at the logs of the mod_evasive


Quote:
Jun 22 18:24:04 lan mod_evasive[3835]: Blacklisting address 82.228.169.50: possible attack.
Jun 22 18:24:45 lan mod_evasive[3600]: Blacklisting address 81.206.164.163: possible attack.
Jun 22 18:25:46 lan mod_evasive[3589]: Blacklisting address 155.232.250.19: possible attack.
Jun 22 18:27:23 lan mod_evasive[3671]: Blacklisting address 83.227.217.2: possible attack.
Jun 22 18:28:10 lan mod_evasive[3673]: Blacklisting address 68.187.171.89: possible attack.
Jun 22 18:29:57 lan mod_evasive[3605]: Blacklisting address 70.143.2.130: possible attack.
Jun 22 18:30:45 lan mod_evasive[3803]: Blacklisting address 69.157.93.88: possible attack.
Jun 22 18:31:45 lan mod_evasive[10397]: Blacklisting address 146.64.81.22: possible attack.
Jun 22 18:35:01 lan mod_evasive[3794]: Blacklisting address 66.38.192.134: possible attack.
Jun 22 18:35:15 lan mod_evasive[3553]: Blacklisting address 81.190.204.64: possible attack.
Jun 22 18:40:10 lan mod_evasive[16602]: Blacklisting address 64.231.39.129: possible attack.
Jun 22 18:48:04 lan mod_evasive[16479]: Blacklisting address 84.99.195.100: possible attack.
Jun 22 18:48:12 lan mod_evasive[16467]: Blacklisting address 201.0.10.142: possible attack.
Jun 22 18:52:57 lan mod_evasive[16573]: Blacklisting address 219.95.39.242: possible attack.
Jun 22 18:53:07 lan mod_evasive[16534]: Blacklisting address 86.129.3.91: possible attack.
Jun 22 18:53:26 lan mod_evasive[16527]: Blacklisting address 62.254.0.32: possible attack.
Jun 22 18:54:41 lan mod_evasive[30473]: Blacklisting address 24.196.199.191: possible attack.
Jun 22 18:55:17 lan mod_evasive[30520]: Blacklisting address 142.161.157.227: possible attack.
Jun 22 18:55:24 lan mod_evasive[30461]: Blacklisting address 65.92.145.133: possible attack.
Jun 22 18:55:33 lan mod_evasive[30509]: Blacklisting address 88.111.227.200: possible attack.
Jun 22 18:56:13 lan mod_evasive[30473]: Blacklisting address 69.199.94.227: possible attack.
Jun 22 18:57:45 lan mod_evasive[30517]: Blacklisting address 86.125.135.212: possible attack.
Jun 22 18:57:54 lan mod_evasive[30479]: Blacklisting address 84.192.141.65: possible attack.
Jun 22 18:58:46 lan mod_evasive[30527]: Blacklisting address 83.140.97.106: possible attack.
Jun 22 18:59:31 lan mod_evasive[30469]: Blacklisting address 82.173.216.196: possible attack.
Jun 22 19:00:33 lan mod_evasive[30517]: Blacklisting address 80.176.157.245: possible attack.
Jun 22 19:00:38 lan mod_evasive[30470]: Blacklisting address 86.133.102.51: possible attack.
Jun 22 19:01:35 lan mod_evasive[30870]: Blacklisting address 24.42.134.253: possible attack.
Jun 22 19:01:48 lan mod_evasive[30509]: Blacklisting address 62.254.0.34: possible attack.
Jun 22 19:02:57 lan mod_evasive[31009]: Blacklisting address 81.227.219.125: possible attack.
Jun 22 19:03:29 lan mod_evasive[31056]: Blacklisting address 172.209.173.153: possible attack.
Jun 22 19:05:07 lan mod_evasive[31385]: Blacklisting address 84.6.12.110: possible attack.
Jun 22 19:06:52 lan mod_evasive[31008]: Blacklisting address 85.227.144.249: possible attack.
Jun 22 19:06:56 lan mod_evasive[31263]: Blacklisting address 213.222.156.222: possible attack.
Jun 22 19:07:13 lan mod_evasive[31393]: Blacklisting address 62.163.143.166: possible attack.
Jun 22 19:07:37 lan mod_evasive[31021]: Blacklisting address 62.135.101.73: possible attack.
Jun 22 19:08:03 lan mod_evasive[31251]: Blacklisting address 82.201.249.69: possible attack.
Jun 22 19:08:17 lan mod_evasive[31200]: Blacklisting address 81.62.65.53: possible attack.
Jun 22 19:11:04 lan mod_evasive[31263]: Blacklisting address 82.39.148.204: possible attack.
Jun 22 19:12:37 lan mod_evasive[31241]: Blacklisting address 213.222.154.13: possible attack.
Jun 22 19:13:54 lan mod_evasive[31027]: Blacklisting address 81.51.79.4: possible attack.
Jun 22 19:24:04 lan mod_evasive[31041]: Blacklisting address 84.221.118.156: possible attack.
Jun 22 19:48:47 lan mod_evasive[3400]: Blacklisting address 62.135.101.192: possible attack.
Jun 22 19:53:04 lan mod_evasive[31031]: Blacklisting address 62.30.33.13: possible attack.
Jun 22 19:54:32 lan mod_evasive[31016]: Blacklisting address 72.14.194.18: possible attack.
Jun 22 19:56:10 lan mod_evasive[31067]: Blacklisting address 198.96.34.58: possible attack.
Jun 22 20:03:24 lan mod_evasive[5144]: Blacklisting address 172.213.33.242: possible attack.
Jun 22 20:08:31 lan mod_evasive[5137]: Blacklisting address 83.241.11.16: possible attack.
Jun 22 20:21:59 lan mod_evasive[6645]: Blacklisting address 201.23.193.20: possible attack.
Jun 22 20:32:28 lan mod_evasive[7801]: Blacklisting address 212.38.134.172: possible attack.
Jun 22 20:45:46 lan mod_evasive[7836]: Blacklisting address 81.247.11.48: possible attack.
Jun 22 20:48:03 lan mod_evasive[7796]: Blacklisting address 70.245.98.186: possible attack.
Jun 22 20:49:38 lan mod_evasive[7832]: Blacklisting address 61.8.138.203: possible attack.
Jun 22 20:51:21 lan mod_evasive[7801]: Blacklisting address 201.132.197.161: possible attack.
Jun 22 20:57:18 lan mod_evasive[10426]: Blacklisting address 82.201.249.67: possible attack.
Jun 22 20:57:51 lan mod_evasive[7822]: Blacklisting address 81.77.26.162: possible attack.
Jun 22 21:00:25 lan mod_evasive[7817]: Blacklisting address 200.39.202.243: possible attack.
Jun 22 21:12:04 lan mod_evasive[7794]: Blacklisting address 84.27.139.25: possible attack.
Jun 22 21:22:27 lan mod_evasive[7816]: Blacklisting address 217.208.98.254: possible attack.

If it is at once a very distributed DDoS we will notice that many different ip's DoSean the Apache.

4) looking at the logs of the syslog (of Kernel).


Quote:
May 17 13:39:01 lan kernel: possible SYN flooding on port 80. Sending cookies.
May 17 13:39:02 lan kernel: ip_conntrack: table full, dropping packet.
May 17 13:39:35 lan kernel: NET: 4 messages suppressed.
May 17 13:39:35 lan kernel: ip_conntrack: table full, dropping packet.
May 17 13:39:38 lan kernel: NET: 1 messages suppressed.
May 17 13:39:38 lan kernel: ip_conntrack: table full, dropping packet.
May 17 13:39:43 lan kernel: NET: 6 messages suppressed.
May 17 13:39:43 lan kernel: ip_conntrack: table full, dropping packet.
May 17 13:39:48 lan kernel: NET: 4 messages suppressed.
May 17 13:39:48 lan kernel: ip_conntrack: table full, dropping packet.
May 17 13:39:52 lan kernel: NET: 9 messages suppressed.
May 17 13:39:52 lan kernel: ip_conntrack: table full, dropping packet.
May 17 13:39:57 lan kernel: NET: 15 messages suppressed.
May 17 13:39:57 lan kernel: ip_conntrack: table full, dropping packet.
May 17 13:40:01 lan kernel: possible SYN flooding on port 80. Sending cookies.


Lines to look:

Code:
possible SYN flooding on port 80. Sending cookies."Sending Cookies" if we have it activated in the /etc/sysctl.conf

# Enable TCP SYN Cookie Protection

Code:
net.ipv4.tcp_syncookies = 1It is sometimes better to disable it:

Code:
net.ipv4.tcp_syncookies = 0This way we can see the ip's of the attack:

Quote:
Jul 14 12:46:50 lan kernel: TCP: drop open request from 80.171.45.81/63069
Jul 14 12:46:55 lan kernel: NET: 1401 messages suppressed.
Jul 14 12:46:55 lan kernel: TCP: drop open request from 80.103.166.148/4403
Jul 14 12:46:59 lan kernel: NET: 1772 messages suppressed.
Jul 14 12:46:59 lan kernel: TCP: drop open request from 200.127.62.215/4019
Jul 14 12:47:05 lan kernel: NET: 2362 messages suppressed.
Jul 14 12:47:05 lan kernel: TCP: drop open request from 85.57.169.142/19899
Jul 14 12:47:11 lan kernel: NET: 2618 messages suppressed.
Jul 14 12:47:11 lan kernel: TCP: drop open request from 83.19.73.122/2710
Jul 14 12:47:14 lan kernel: NET: 898 messages suppressed.
Jul 14 12:47:14 lan kernel: TCP: drop open request from 80.235.39.64/3554
Jul 14 12:47:19 lan kernel: NET: 1120 messages suppressed.
Jul 14 12:47:19 lan kernel: TCP: drop open request from 80.171.45.81/62095
Jul 14 12:47:24 lan kernel: NET: 1714 messages suppressed.
Jul 14 12:47:24 lan kernel: TCP: drop open request from 84.62.152.44/34014
Jul 14 12:47:29 lan kernel: NET: 2274 messages suppressed.
Jul 14 12:47:29 lan kernel: TCP: drop open request from 200.127.62.215/3207
Jul 14 12:47:34 lan kernel: NET: 1552 messages suppressed.
Jul 14 12:47:34 lan kernel: TCP: drop open request from 80.103.166.148/4797
Jul 14 12:47:39 lan kernel: NET: 4044 messages suppressed.
Jul 14 12:47:39 lan kernel: TCP: drop open request from 80.235.39.64/2678
Jul 14 12:47:44 lan kernel: NET: 4360 messages suppressed.
Jul 14 12:47:44 lan kernel: TCP: drop open request from 80.103.166.148/1312
Jul 14 13:04:15 lan kernel: TCP: drop open request from 200.14.237.83/4787
Jul 14 13:04:22 lan kernel: NET: 147 messages suppressed.
Jul 14 13:04:22 lan kernel: TCP: drop open request from 81.38.172.161/4892
Jul 14 13:04:30 lan kernel: NET: 6 messages suppressed.
Jul 14 13:04:30 lan kernel: TCP: drop open request from 200.14.237.83/4934
Jul 14 13:04:30 lan kernel: TCP: drop open request from 200.14.237.83/4935
Jul 14 13:04:38 lan kernel: NET: 76 messages suppressed.
Jul 14 13:04:38 lan kernel: TCP: drop open request from 81.84.212.34/2861
Jul 14 13:04:40 lan kernel: NET: 269 messages suppressed.
Jul 14 13:04:40 lan kernel: TCP: drop open request from 200.14.237.83/3070
Jul 14 13:04:45 lan kernel: NET: 287 messages suppressed.
Jul 14 13:04:45 lan kernel: TCP: drop open request from 81.203.228.102/4400
Jul 14 13:04:50 lan kernel: NET: 98 messages suppressed.
Jul 14 13:04:50 lan kernel: TCP: drop open request from 81.84.212.34/3961
Jul 14 13:04:54 lan kernel: NET: 245 messages suppressed.
Jul 14 13:04:54 lan kernel: TCP: drop open request from 200.84.169.200/1183
Jul 14 13:05:00 lan kernel: NET: 1787 messages suppressed.
Jul 14 13:05:00 lan kernel: TCP: drop open request from 81.203.228.102/2050
Jul 14 13:05:04 lan kernel: NET: 3208 messages suppressed.
Jul 14 13:05:04 lan kernel: TCP: drop open request from 86.212.167.27/4720
Jul 14 13:05:09 lan kernel: NET: 2031 messages suppressed.
Jul 14 13:05:09 lan kernel: TCP: drop open request from 81.203.228.102/1794
Jul 14 13:05:14 lan kernel: NET: 2221 messages suppressed.
Jul 14 13:05:14 lan kernel: TCP: drop open request from 81.38.172.161/4908
Jul 14 13:05:21 lan kernel: NET: 730 messages suppressed.
Jul 14 13:05:21 lan kernel: TCP: drop open request from 81.203.228.102/1430
Jul 14 13:05:25 lan kernel: NET: 234 messages suppressed.
Jul 14 13:05:25 lan kernel: TCP: drop open request from 81.203.228.102/2939
Jul 14 13:05:30 lan kernel: NET: 1594 messages suppressed.
Jul 14 13:05:30 lan kernel: TCP: drop open request from 200.14.237.83/3876
Jul 14 13:05:36 lan kernel: NET: 633 messages suppressed.
Jul 14 13:05:36 lan kernel: TCP: drop open request from 86.212.167.27/1116
Jul 14 13:05:39 lan kernel: NET: 970 messages suppressed.
Jul 14 13:05:39 lan kernel: TCP: drop open request from 81.38.172.161/3040
Jul 14 13:05:45 lan kernel: NET: 548 messages suppressed.
Jul 14 13:05:45 lan kernel: TCP: drop open request from 81.203.228.102/2119
Jul 14 13:05:50 lan kernel: NET: 421 messages suppressed.
Jul 14 13:05:50 lan kernel: TCP: drop open request from 81.203.228.102/2478
Jul 14 13:05:56 lan kernel: NET: 379 messages suppressed.
Jul 14 13:05:56 lan kernel: TCP: drop open request from 81.203.228.102/4005
Jul 14 13:05:59 lan kernel: NET: 891 messages suppressed.
Jul 14 13:05:59 lan kernel: TCP: drop open request from 81.38.172.161/3568
Jul 14 13:06:04 lan kernel: NET: 2221 messages suppressed.
Jul 14 13:06:04 lan kernel: TCP: drop open request from 81.203.228.102/4532
Jul 14 13:06:09 lan kernel: NET: 243 messages suppressed.
Jul 14 13:06:09 lan kernel: TCP: drop open request from 81.203.228.102/1939
Jul 14 13:06:14 lan kernel: NET: 2166 messages suppressed.
Jul 14 13:06:14 lan kernel: TCP: drop open request from 81.38.172.161/2137
Jul 14 13:06:19 lan kernel: NET: 2071 messages suppressed.
Jul 14 13:06:19 lan kernel: TCP: drop open request from 81.38.172.161/3136
Jul 14 13:06:24 lan kernel: NET: 2069 messages suppressed.
Jul 14 13:06:24 lan kernel: TCP: drop open request from 81.84.212.34/4600
Jul 14 13:06:29 lan kernel: NET: 1797 messages suppressed.
Jul 14 13:06:29 lan kernel: TCP: drop open request from 86.212.167.27/3171
Jul 14 13:06:35 lan kernel: NET: 1292 messages suppressed.
Jul 14 13:06:35 lan kernel: TCP: drop open request from 81.203.228.102/1394
Jul 14 13:06:39 lan kernel: NET: 715 messages suppressed.


Code:
May 17 14:13:24 lan kernel: ip_conntrack: table full, dropping packet.Full Table. We have a problem because we won't admit more connections although they are legitimate.

We can increase the value of this chart if our net gives for more.

Directly:

Code:
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_maxSo that the value is saved and don't get lost when restarting, we should add it in the sysctl.conf

Code:
net.ipv4.ip_conntrack_max = 65535remembers to restart the net to apply the changes in the / proc (service network restart).

Martian packages:

Aug 31 12:41:29 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 12:45:07 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 12:52:57 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 12:58:55 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 13:08:12 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 13:12:03 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 13:34:38 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 13:37:38 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 13:52:42 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 13:56:18 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 13:59:54 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 14:13:32 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 14:38:08 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 14:43:42 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 14:50:05 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 14:51:05 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 14:57:58 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 15:05:27 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 15:06:14 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0
Aug 31 15:09:08 lan kernel: martian source 192.168.0.10 from 0.0.0.0, on dev eth0They are unexpected packages that arrive for a road for which you/they cannot arrive it indicates some problem of audacity (cracker).

Using packages like these can be attacked remote vulnerabilities in stacks TCP/IP

5) looking at the graphs of the MRTG, RRDtool


If you see that the traffic inbound ascends up to the 100mbps it is that they are wish you hehehe





B) to Try to stop the attack

1) - mod_evasive
Web Oficial:
Code:

http://www.nuclearelephant.com/projects/mod_evasive/

We consider that 50 connections per second to 2 pages it is enough I motivate like to block that ip:

Quote:

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 900


The same as the previous one but with 50 petitions in one second to 1 single page:

Quote:

DOSHashTableSize 3097
DOSPageCount 1
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1


If we want to block the ips that floodean, we can use the iptables:

Code:
DOSSystemCommand "sudo -u root -c '/sbin/iptables -A INPUT -s %s -j DROP"To remember to look at the syslog for if there are possible positive reinforcements (ip's that didn't make flood).

To avoid false positive:

Quote:

# añadir estas líneas que corresponden a rangos de los bots de google
DOSWhitelist 66.249.65.*
DOSWhitelist 66.249.66.*


Important:
So that the mod_evasive works correctly you will modify the one:

Code:
MaxRequestsPerChild 0To put a high but never limitless value (0).

Code:
MaxRequestsPerChild 10000Config example:
Code:

http://www.eth0.us/mod_evasive

2 - mod_security
The only problem of the mod_security is that we need an argument at least to detect the attack.

In the example we use in http_referer and the User Agent to detect the DDoS:

3- tcplimit, ipdrop, ipblock
Using dynamic firewalls

4 - optimizing and assuring the net with the sysctl.conf

Code:
cat /proc/sys/net/ipv4/tcp_syncookies# Enable IP spoofing protection, turn on Source Address Verification

Code:
net.ipv4.conf.all.rp_filter = 1# Enable TCP SYN Cookie Protection

Code:
net.ipv4.tcp_syncookies = 1# Enable ignoring broadcasts request

Code:
net.ipv4.icmp_echo_ignore_broadcasts = 11). Activate SynCookies protection

It works by sending out 'syncookies' when the
syn backlog queue of a socket overflows.

Quote:
=> echo 1 >/proc/sys/net/ipv4/tcp_syncookies

or

=> /sbin/sysctl -w net.ipv4.tcp_syncookies=1

2). Disable source routing

Quote:
=> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

or

=> /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

3). Reverse Path Filtering

Reject incoming packets if their source address doesn't match
the network interface that they're arriving on

Quote:
=> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

or

=> /sbin/systcl -w net.ipv4.conf.all.rp_filter=1

4). Log RP filter dropped packets (martians)

Quote:
=> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done

or

=> /sbin/sysctl -w net.ipv4.conf.all.log_martians=1

5). Maximal number of remembered connection requests

Code:
=> /sbin/sysctl -w net.ipv4.tcp_max_syn_backlog=256). How may times to retry before killing TCP connection

(default 7 on most systems)

Code:
=> /sbin/sysctl -w net.ipv4.tcp_orphan_retries=47). Number of SYN packets the kernel will send before giving up

Code:
=> /sbin/sysctl -w net.ipv4.tcp_syn_retries=58). Disable broadcast icmp reply

Code:
=> /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=19). Ignore Bogus icmp packets

Code:
=> /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=110). Disable ICMP redirect

Quote:
=> echo 0 >/proc/sys/net/ipv4/conf/all/accept_redirects
=> echo 0 >/proc/sys/net/ipv4/conf/all/send_redirects

or

=> /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0
=> /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0

11). Disable timestamps

Quote:
=> echo 0 >/proc/sys/net/ipv4/tcp_timestamps

or

=> /sbin/sysctl -w net.ipv4.tcp_timestamps=0

12). Reduce DOS ability by reducing timeouts

Quote:
=> echo 30 >/proc/sys/net/ipv4/tcp_fin_timeout
=> echo 1800 >/proc/sys/net/ipv4/tcp_keepalive_time
=> echo 0 >/proc/sys/net/ipv4/tcp_window_scaling
=> echo 0 >/proc/sys/net/ipv4/tcp_sack

or

=> /sbin/sysctl -w net.ipv4.tcp_fin_timeout=30
=> /sbin/sysctl -w net.ipv4.tcp_keepalive_time=1800
=> /sbin/sysctl -w net.ipv4.tcp_window_scaling=0
=> /sbin/sysctl -w net.ipv4.tcp_sack=0

It lists of all the variables of the TCP:
Code:

http://ipsysctl-tutorial.frozentux.n...variables.html

lists of Variables of the / proc/sys/net/ipv4 / * (with default varlores and explanations)
Code:

http://ipsysctl-tutorial.frozentux.n.../ip-sysctl.txt

More examples of complete configuration of the sysctl.conf in the references of the document

5 - APF Firewall with the module anti-ddos

Code:
wget
Code:

http://www.rfxnetworks.com/downloads/apf-current.tar.gz

tar xvzf apf-current.tar.gz
cd apf-0.9.6-1/
./install.shservice apf start
/usr/local/sbin/apf -s

Configuration file

Code:
/etc/apf/conf.apfAfter making the tests leave:

Code:
DEVEL_MODE="0"If it leaves us a similar error to this:

Code:
apf(9413): unable to load iptables module (ip_tables), aborting.We change this:

Code:
SET_MONOKERN="1"Ports that we want to open up (inbound)

Code:
IG_TCP_CPORTS="21,22,25,53,80,110"If you want to block the whole exit traffic puts it in 1 (outbound)

Code:
EGF="0"If we want to use the module antddos to put at 1:

Code:
USE_AD="0"Log:
/var/log/apf_log

To see the packages:

Code:
LOG_DROP="1"will keep it in the syslog, example:

Quote:
Oct 20 13:59:27 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=18779 PROTO=TCP SPT=11629 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:16 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20376 PROTO=TCP SPT=27734 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:17 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20382 PROTO=TCP SPT=25943 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:17 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20387 PROTO=TCP SPT=19026 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:17 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20397 PROTO=TCP SPT=2155 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:17 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20407 PROTO=TCP SPT=9294 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:22 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20687 PROTO=TCP SPT=9269 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:22 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20694 PROTO=TCP SPT=27223 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:23 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=20830 PROTO=TCP SPT=30938 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:25 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21038 PROTO=TCP SPT=5377 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:27 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21219 PROTO=TCP SPT=13341 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:00:42 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=21990 PROTO=TCP SPT=22960 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0
Oct 20 14:02:32 ns2 kernel: ** SANITY ** IN=eth0 OUT= SRC=213.27.201.254 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=26386 PROTO=TCP SPT=2826 DPT=80 WINDOW=0 RES=0x00 RST FIN URGP=0


remembers that to use the antidos you should add the cron job:

Code:
*/8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1http://www.r-fx.org/apf/README.antidos

KISS My Firewall is an alternative.

Script PHP
Code:

http://www.prism-hosting.com/AntiDoS

6 - to stop the botnet
ZmbScap - Zombie Scapper - Stoopt DDoS Programs
Code:

http://www.metaeye.org/projects/zmbscap/

Tracking Botnets - Bot-Commands
Code:

http://www.honeynet.org/papers/bots/...-commands.html

Tracking Botnets
Code:

http://www.honeynet.org/papers/bots/

Tracking Botnets - DDoS-attacks
Code:

http://www.honeynet.org/papers/bots/botnet-ddos.html

Phatbot Trojan Analysis
Code:

http://www.lurhq.com/phatbot.html

F-Bot by f-secure - it Eliminates the Agobot and all their variants
Code:

http://www.f-secure.com/tools/f-bot.zip

Nepenthes - Autoinfecarse without danger to analyze
Code:

http://nepenthes.mwcollect.org/

honeytrap – trap attacks against tcp services
Code:

http://honeytrap.sourceforge.net/

7 - using rules of the iptables

Quote:
# todo el trafico syn
-P INPUT DROP
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-P OUTPUT DROP
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-P FORWARD DROP
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A FORWARD -i lo -o lo -j ACCEPT


# sube las cargas pero muchos wwww buena señal
-A INPUT -p tcp --syn -j REJECT --reject-with icmp-port-unreachable



# la que mejor va
-N syn-flood
-A syn-flood -m limit --limit 100/second --limit-burst 150 -j RETURN
-A syn-flood -j LOG --log-prefix "SYN flood: "
-A syn-flood -j DROP



# igual que el de arriba pero muy bestia
-N syn-flood
-A INPUT -i eth0:2 -p tcp --syn -j syn-flood
-A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
-A syn-flood -j DROP


-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit
1/sec -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit
--limit 1/sec -j ACCEPT

# no es muy efectivo
-A INPUT -s 0/0 -p tcp --syn --source-port 1000:5000
--destination-port 80 -j DROP

# no es muy efectivo
-A INPUT -p tcp -m tcp --dport 80 --sport 1000:5000 --tcp-flags SYN SYN -j DROP

# Descartar paquetes mal formados

-N PKT_FAKE
-A PKT_FAKE -m state --state INVALID -j DROP
-A PKT_FAKE -p tcp --dport 80 --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,FIN SYN,FIN -j DROP
-A PKT_FAKE -p tcp --dport 80 --tcp-flags SYN,RST SYN,RST -j DROP
-A PKT_FAKE -p tcp --dport 80 ! --syn -m state --state NEW -j DROP
-A PKT_FAKE -f -j DROP
-A PKT_FAKE -j RETURN

# syn-flood
-N syn-flood
-A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
-A FORWARD -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
-A syn-flood -m limit --limit 4/s --limit-burst 16 -j RETURN
-A syn-flood -m limit --limit 75/s --limit-burst 100 -j RETURN
-A syn-flood -j LOG --log-prefix "SYN FLOOD " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/second
-A syn-flood -j DROP

# By pepel. Requiere módulo limit
-A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 10 --hitcount 10 -j DROP

8 - using the mod_throttle
Code:

http://www.snert.com/Software/mod_throttle/

Others:
Mod_Throttle, mod_bandwidth, mod_iplimit, mod_tsunami, mod_limitipconn.c

ForApache 2:
mod_cband

Quote:
cd /usr/src
wget
Code:

http://www.snert.com/Software/mod_th...hrottle312.tgz

tar zxvf mod_throttle312.tgz
cd mod_throttle-3.1.2
pico Makefile
Then edit the line that reads:
APXS=apxs
And change it to read:
APXS=/usr/local/apache/bin/apxs
make
make install
service httpd restart

Code:

ThrottlePolicy Volume 10G 30d


SetHandler throttle-me

Code:

http://www.webhostgear.com/160.html

C) References
- Syctl.conf Hardening
Code:

http://www.eth0.us/sysctl

- Ipsysctl tutorial 1.0.4
Code:

http://ipsysctl-tutorial.frozentux.n...-tutorial.html

- Hardening the TCP/IP stack to SYN attacks
Code:

http://www.securityfocus.com/infocus/1729

- DDOS and SYN_Recv Attacks And some SOlutions
Code:

http://www.vbulletin.com/forum/showthread.php?t=126699

- Distributed Reflection Denial of Service
Code:

http://www.grc.com/dos/drdos.htm

- Dynamic iptables firewalls
Code:

http://www-128.ibm.com/developerworks/library/l-fw/

- Preventing DDoS Attacks
Code:

http://www.linuxsecurity.com/content/view/121960/49/

- Distributed Denial of Service (DDoS) Attacks/tools
Code:

http://staff.washington.edu/dittrich/misc/ddos/

- Linux firewall rulesets and snippets of rule sets
Code:

http://www.gotroot.com/tiki-index.ph...rewall%20rules

Enjoy

__________________
# mysqladmin -u root -p create hackerdb
# Enter password:
# mysql -u root -p hackerdb < /pentest/web/billgates/doc/hacker_sql_create_script.txt
# Enter password:
#
# mysql -u root -p hackerdb
Enter password:
Welcome to the MySQL monitor. Commands END with ; OR \g.
Your MySQL connection id IS 9 to server version: 5.0.27-LOG

Type 'help;' OR '\h' for HELP. Type '\c' to clear the buffer.

mysql> GRANT ALL PRIVILEGES ON hackerdb.* TO bank_of_americadb@'localhost' IDENTIFIED BY 'hackerdb';
Query OK, 0 rows affected (0.01 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

- PM me or a mod to report dead links or abuse
- Remember To Say Thanks For The Post You Used
- Contact me for details on how to get a VIP subscription
- Tell Your Friends About Us To Make security.shell A Better Place

04.Nessus.mov
nmap_Pt.1.mov
nmap_Pt.2.mov
Scanning_Demonstration_using_NMAP.mov
Reconnaissance_Demo.mov
SuperScan.mov
SuperScan.Demonstration.mov
Folder Passwd: pentest
iepwned-2.ogv
YouTube - security sh3ll]

Regards,
thegrchet


Reference: http://learnhackin.blogspot.com/2008_05_01_archive.html