DDoS Protection: APF, BFD, DDoS and RootKit Utilities
Being a web host, your servers are constantly being attacked by hackers by denial-of-service (DoS) and other brute force attacks. There is no foolproof method to stop 100% of all attacks, but there are ways to protect your servers by applying firewall rules, and detecting and banning attacking IPs.
To begin installation, login to your server as a root user.
% ssh -l root [hostname] root@[hostname]'s password: [password] Last login: [Date] from [hostname]
APF -- Advanced Policy-based Firewall
Get the latest source from the rfxnetworks, and install the software.
# cd /usr/src # mkdir utils # cd utils # wget http://rfxnetworks.com/downloads/apf-current.tar.gz # tar xfz apf-current.tar.gz # cd apf-* # ./install.sh
Read the README.apf and README.antidos for configuration options. Edit the /etc/apf/conf.apf and modify the following lines to your need.
DEVEL_MODE="0" IG_TCP_CPORTS="21,22,25,53,80,110,143,443,3306" IG_UDP_CPORTS="53,111" USE_AD="1"
By default, APF is setup to run in development mode which flushes firewall rules every 5 minutes. Running in development mode defeats the purpose of running APF, as it will automatically flush every 5 minutes. Configure the Ingress (inbound) TCP and UDP ports that need to be opened. Finally, enable AntiDos by setting USE_AD="1".
Edit the /etc/apf/ad/conf.antidos as you fit necessary, and start the APF firewall.
# apf --start
BFD -- Brute Force Detection
BFD is a shell script which parses security logs and detects authentication failures. It is a brute force implementation without much complexity, and it works in conjunction with a APF (Advanced Policy-based Firewall).
## Get the latest source and untar. # cd /usr/src/utils # wget http://rfxnetworks.com/downloads/bfd-current.tar.gz # tar xfz bfd-current.tar.gz # cd bfd-* # ./install.sh
Read the README file, and edit the configuration file located in /usr/local/bfd/conf.bfd.
Find ALERT="0" and replace it with ALERT="1"
Find EMAIL_USR="root" and replace it with EMAIL_USR="[email protected]"
Edit /usr/local/bfd/ignore.hosts file, and add your own trusted IPs. BFD uses APF and hence it orverrides allow_hosts.rules, so it is important that you add trusted IP addresses to prevent yourself from being locked out.
## Start the program. # /usr/local/sbin/bfd -s
## Get the latest source # cd /usr/src/utils # mkdir ddos # cd ddos # wget http://www.inetbase.com/scripts/ddos/install.sh # sh install.sh
Edit the configuration file, /usr/local/ddos/ddos.conf, and start the ddos.
# /usr/local/ddos/ddos.sh -c
RootKit -- Spyware and Junkware detection and removal tool
Go to Rootkit Hunter homepage, and download the latest release.
## Get the latest source and untar # cd /usr/src/utils # wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz # tar xfz rkhunter-*.gz # cd rkhunter # ./installer.sh ## run rkhunter # rkhunter -c
Setup automatic protection on System Reboot
## Edit /etc/rc.d/rc.local ## (or similar file depending on Linux version) ## Add the following lines at the bottom of the file /usr/local/sbin/apf --start /usr/local/ddos/ddos.sh -c
The SYN Floods and ICMP DDoS may also be prevented by utilizing the Linux traffic control utility (tc). To view setup instructions, please see relevant sections of Linux Advanced Routing & Traffic Control HOWTO.
Notes from the users:
Some of the users experienced following errors while starting APF.
bash# apf --startAccording to Burst and Ryan of r-fx.org, changing the SET_MONOKERN variable in /etc/apf/conf.apf to "1" will correct the problem.
Unable to load iptables module (ip_tables), aborting.