How to prevent ddos attack

[wilburunion]

fail2ban does work. You need to set it up properly. I have mine set to both use an ip blacklist - which is basically the entire world except the sub net I always log in on. Here is a how to => https://zach.seifts.us/posts/2013/07/14 ... persistent That way the login attempt is banned if it is not an approved IP network - AND it is added to the IP blacklist also as redundancy

for others that come along - or if the link above stops working -here are the instructions pasted below. there are some other useful comments on the linked page however by others who have come along

"Fail2ban is great because it looks at logs and if an entry matches a regular expression it will perform an action on the IP address from the log. You can make the actions do pretty much anything, typically the action is an iptables rule that will ban the user. The problem is when you restart the fail2ban service fail2ban clears the chain for the filter and parses the current log for matches, not the rotated logs. So you don't ban any IPs that were banned before logrotate rotated the old log.

You can make the bans persistent by setting up a blacklist and automatically loading them when fail2ban is restarted. First, you need to create a file to store blacklisted IPs.

sudo touch /etc/fail2ban/ip.blacklist
Then you can either make a copy or edit the /etc/fail2ban/action.d/iptables-multiport.conf file. I prefer to make a copy of it because I version all of my configs.

In the action config file you have a few different directives, we want to focus on 2, the actionstart and actionban. First, when fail2ban bans an IP we want to not only ban it, but we want to add the IP address to the ip.blacklist file.

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist
Then we want to be sure that the iptables rule is added when fail2ban is started, so we add the following lines of code to the actionstart directive:

actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
That's it, once you restart fail2ban it will automatically ban all of the IPs in your ip.blacklist file.

[Spork Schivago]

As twopoint71 recommends, ConfigServer Firewall is a great program. It's a bit like Fail2Ban in the sense that it helps secure your server a bit, but it covers a lot more than just failed SSH attempts. If you have cPanel installed, if you install ConfigServer Firewall, you'll get a nice little section added to cPanel where you can configure CSF.

Also, another thing to consider, disabling keyboard-authentication. For my server, I have keyboard authentication disabled entirely, and I have SSH running on a high port number. CSF catches port scans and blocks them, so it's much harder for an attacker to figure out what port my SSH server is running on. But even if they do find the address, and their IP address changes every time they try to connect (this would prevent CSF from preventing them from connecting because it cannot predict what their IP address is going to be), they still can't get in, even if they know or successfully guess a user's password. They can only login if they have the key, which I keep on a thumb drive.

If you want, I believe you can force keyboard password authentication and require the SSH public key as well. So a person can only login if they first have the public key, and then know the password. Without the public key, OpenSSH will refuse to accept the connection.

From what I've read, to configure both, you would add something like:

Code: Select all

AuthenticationMethods publickey,password

to /etc/ssh/sshd_config

Someone else says you need to add:

Code: Select all

RequiredAuthentications2 publickey,password

to the /etc/ssh/sshd_config file.

I haven't tried either, because I only use public key authentication, not password authentication.

Implementing the iptables firewall rule that other people suggested to limit the number of connections attempt in a certain amount of time, changing the port that the SSH server runs on, installing and properly configuring software like Fail2Ban or ConfigServer Firewall, and disabling password authentication or forcing public key authentication and using password authentication on top of that should help.

Be careful with the public key. If you mess it up, you might not be able to ssh into your server. If you want to implement it but have questions on how to do it or aren't sure about something, feel free to ask for help.

[hunter86_bg]

I think that port knocking will be your best. Ofcourse keep in mind that most scanners start from lower to higher port very fast, so any 3 (or more) ports with a decent distance and random order will do this trick.

On the client I'm using simple netcat squence in a bash script , which you can use in your client's ssh script.