How to prevent ddos attack

Support for security such as Firewalls and securing linux
sadue
Posts: 55
Joined: 2016/01/08 19:08:26

How to prevent ddos attack

Post by sadue » 2016/01/22 19:27:52

Hey guys,

I need an urgent help please. My site is under ddos attack. Just take a look at this login failure within hours.
root@66.xx.xxx.xx's password:
Last failed login: Fri Jan 22 14:36:10 EST 2016 from 59.45.79.109 on ssh:notty
There were 9335 failed login attempts since the last successful login.
Last login: Fri Jan 22 06:45:59 2016 from 41.220.68.237
[root@server2 ~]#
Please how do I prevent my server from such an attack for security purpose?

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: How to prevent ddos attack

Post by aks » 2016/01/22 23:38:41

Limit the incoming IP addresses to SSHD from only your known hosts.
Perhaps also look at fail2ban (or the like).

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: How to prevent ddos attack

Post by lightman47 » 2016/01/23 10:48:49

in addition, make sure you have NOT enabled root login in your /etc/ssh/sshd_config !! Root is the only known existing account and that's the one they'll likely be banging at, trying to guess the password. This doesn't stop you from using root - login as another user, then "su" once you're in. While it is un-nerving to see your logs filling with this stuff, you can ensure they remain only attempts and not actual logins.

I use fail2ban on my CentOS6 box and it does a great job. I have it installed on my CentOS7 machines but none of them face the outside world as a rule. I seem to recall there were also some posts about it's effectiveness on 7 - not sure if that was resolved. Perhaps one day I'll plug my laptop into the modem to see what happens. 'They' are banging away at me 5-6 times an hour.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: How to prevent ddos attack

Post by avij » 2016/01/23 12:54:30

Perhaps something like this helps in reducing the number of connection attempts:

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m hashlimit --hashlimit-name limitssh --hashlimit-above 1/minute --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-srcmask 28 -j DROP

See man iptables-extensions for a description of the options. I also agree that allowing root to log in using a password (regardless of password complexity) is not a good idea. This can be changed in /etc/ssh/sshd_config, option PermitRootLogin.

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: How to prevent ddos attack

Post by aks » 2016/01/23 18:00:52

Hmph, as an alternative ... don't plug into a network :P

sadue
Posts: 55
Joined: 2016/01/08 19:08:26

Re: How to prevent ddos attack

Post by sadue » 2016/01/29 12:52:04

lightman47 wrote:I use fail2ban on my CentOS6 box and it does a great job. I have it installed on my CentOS7 machines but none of them face the outside world as a rule. I seem to recall there were also some posts about it's effectiveness on 7 - not sure if that was resolved. Perhaps one day I'll plug my laptop into the modem to see what happens. 'They' are banging away at me 5-6 times an hour.
I have disabled root login. But before that, I installed fail2ban and let it run for some days to test it. But it does not work. I still get some failed login attempt, but none is banned. Any better idea if it is now fully compatible with centos 7?

lightman47
Posts: 1521
Joined: 2014/05/21 20:16:00
Location: Central New York, USA

Re: How to prevent ddos attack

Post by lightman47 » 2016/01/31 12:54:49

"Attempts" are part of being connected to the outside word. Most folk don't see them so they incorrectly assume they are not happening; they are. I'm told most are the bot networks/infected machines. Trick is to allow a typo for you or someone you want to allow in without locking them out, yet block those out there who are trying to guess userids & passwords.

There's a setting in jail.local that determines how many failed attempts will cause the i.p. to be ignored/locked out. I've set mine for two:

Code: Select all

maxretry = 2
You can also specify a specific maxretry inside a section to over-ride the general setting for that particular protocol.

---

As to the question about CentOS7 version effectiveness ... it'll show up in your logs when it blocks someone. You can always enable emails (bottom of fail2ban.local),
example:

Code: Select all

[MAIL]
enabled = true
to = me@myemail.com


then define the settings for the email in each of the sections that you are using in jail.local.
example in my ssh section:

Code: Select all

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=me@myemail.com, sender=fail2ban@example.com, sendername="Fail2Ban machinename"]
logpath  = /var/log/secure
maxretry = 1
Of course, after the edits:

Code: Select all

systemctl restart fail2ban

User avatar
twopoint71
Posts: 52
Joined: 2016/02/02 18:40:52

Re: How to prevent ddos attack

Post by twopoint71 » 2016/02/03 23:55:09

Sadue,

Having an ssh port which is publicly accessible is a horrible security risk even with fail2ban because the attacker could simply get "lucky" and guess on the first few tries.

The best practice is to block ssh altogether and then put some trusted source addresses in the iptables white list.

As an example:

Code: Select all

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m comment --comment "allow icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "allow local" -j ACCEPT
-A INPUT -s 192.168.57.101 -m comment --comment "allow my ip address" -j ACCEPT
-A INPUT -m comment --comment "deny all" -j DROP
Where 192.168.57.101 is your IP address, but I recommend more than 1 in the trusted list, in case you lose your IP address.

Thanks,
Bob

sadue
Posts: 55
Joined: 2016/01/08 19:08:26

Re: How to prevent ddos attack

Post by sadue » 2016/02/05 15:58:58

twopoint71 wrote:Sadue,

Having an ssh port which is publicly accessible is a horrible security risk even with fail2ban because the attacker could simply get "lucky" and guess on the first few tries.

The best practice is to block ssh altogether and then put some trusted source addresses in the iptables white list.

As an example:

Code: Select all

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m comment --comment "allow icmp" -j ACCEPT
-A INPUT -i lo -m comment --comment "allow local" -j ACCEPT
-A INPUT -s 192.168.57.101 -m comment --comment "allow my ip address" -j ACCEPT
-A INPUT -m comment --comment "deny all" -j DROP
Where 192.168.57.101 is your IP address, but I recommend more than 1 in the trusted list, in case you lose your IP address.
Bob
To start with. I dont have a static IP address, how the can this work for me. I have thought of disabling access to ssh totally except from one or few IP, but the issue of dynamic IP address came to mind, so I get ride of such idea. Any way in to such idea with dynamic IP?

User avatar
twopoint71
Posts: 52
Joined: 2016/02/02 18:40:52

Re: How to prevent ddos attack

Post by twopoint71 » 2016/02/05 18:17:03

sadue,
I dont have a static IP address, how the can this work for me
Is this a server hosted in your house?

If that's the case, then I recommend changing the ssh port to some other number such as 3322 or any port number over the standard port range which is not in use on the server; this may eliminate all hack attempts, but still leave the server open an nmap scan unless you have port scan detection setup?

I usually use CSF (an iptables manager like firewalld) which comes with Login Failure Daemon, and can help secure the server against a lot of Internet badness. http://www.configserver.com/cp/csf.html
CSF is also free and open source.

Thanks,
Bob

Post Reply