linux security for a DDOS

ok – so your under a DDOS …. chances are its to late @ that point – however… being proactive is better than reactive…

Here are a few ways to help you survive a DDOS

Install & Utilize Mod_Evasive

mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.

Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denying any single IP address from any of the following:

• Requesting the same page more than a few times per second
• Making more than 50 concurrent requests on the same child per second
• Making any requests while temporarily blacklisted (on a blocking list)

How to install:

a) Install mod_evasive

# wget http://www.zdziarski.com/projects/mo…_1.10.1.tar.gz
# tar -xzvf mod_evasive_1.10.1.tar.gz
# cd mod_evasive

# /usr/local/apache/bin/apxs -i -a -c mod_evasive.c
# /etc/init.d/httpd restart

b) Also include the following lines in the apache conf file

# vi /usr/local/apache/conf/httpd.conf

————————————————-
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
</IfModule>
————————————————-

c) Restart the webserver

# /etc/init.d/httpd restart

Utilize ModSecurity for Apache

With over 70% of all attacks now carried out over the web application level, organizations need every help they can get in making their systems secure. Web application firewalls are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.

ModSecurity can also act immediately to prevent attacks from reaching your web applications. There are three commonly used approaches:

1. Negative security model. Negative security model monitors requests for anomalies, unusual behaviour, and common web application attacks. It keeps anomaly scores for each request, IP addresses, application sessions, and user accounts. Requests with high anomaly scores are either logged or rejected altogether.
2. Known weaknesses and vulnerabilities. Its rule language makes ModSecurity an ideal external patching tool. External patching is all about reducing the window of opportunity. Time needed to patch application vulnerabilities often runs to weeks in many organisations. With ModSecurity, applications can be patched from the outside, without touching the application source code (and even without any access to it), making your systems secure until a proper patch is produced.
3. Positive security model. When positive security model is deployed, only requests that are known to be valid are accepted, with everything else rejected. This approach works best with applications that are heavily used but rarely updated.

To install Mod_Security on a cPanel server – the steps are quite simple:

WHM >> cPanel >> Addon Modules >> Select “modsecurity ” >>save

Mitigate attackers using iptables

a) Find the IPs those have established a connection with the server

(The following command is the better one to get the IPs, as this will sort the IPs
according to the number of connections).

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

b) Block them using IPTABLES

# iptables -I INPUT -s ipaddress -j DROP
# service iptables save
# service iptables restart

Optimize the httpd.conf file

# vi /usr/local/apache/conf/httpd.conf

Change the bellow options as follows, original values are shown in the
bracket.

MaxKeepAliveRequests 50 (100)
KeepAliveTimeout 60 (30)

Also edit the following options too, according to the situation.

Timeout
KeepAliv
MinSpareServers
MaxSpareServers
MaxClients

Install & Configure a 3rd Party DDOS prevention application

We can also use the most trusting 3rd party script ‘DDoS-Deflate’ for preventing DDOS attack effectively.
Steps to install this script are as follows.

# wget http://www.inetbase.com/scripts/ddos/install.sh
# sh install.sh

Add the script ‘/usr/local/ddos/ddos.sh’ to cron as follows

# crontab -e

*/5 * * * * /usr/local/ddos/ddos.sh >/dev/null 2>&1