Home > Internet, Linux > Protect your server from a Denial of Service attack

Protect your server from a Denial of Service attack

December 1st, 2009 rub-rabbit Leave a comment Go to comments

Having a computer connected to the Internet involves taking a risk, but it’s something we can moderate, that’s where filters come, firewall and others. A conventional user that wants to implement a server can do this easily using, for example, Ubuntu Server. One of the things we don’t think of when starting to offer a service (either personal or shared) is that we can be attacked at any time, whether novices proving themselves they can do it, a guru that’s testing something or just someone that wants to annoy us.

Among the different kinds of these attacks there’s one called “Denial of Service” (DoS), which saturates the limit of allowed IP connections of our server.
There are ways to avoid this, let’s say a server is doing 100,000 queries per second, it sure won’t let anyone else connect to it, now let’s say it’s not only one but many who want to break our system. It could turn into a big disaster.

I found a software to avoid this, that watches the connections and the IPs that are connected. Here’s a little description, followed by the link to download this program.

Installing it in our server is easy, the developers gives us a very simple script to install it.

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

At the same time they gives us a widget in case we want to uninstall it:

wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

Once DoS-Deflate is installed, we can edit the configuration that is in /usr/localddos/ddos.conf :

  • FREQ=1 – Sets the frequency in which the script will be ran (minutes). It’s ran every 1 minute by default, which looks okay having in mind that from one minute to another your webserver could be saturated.
  • NO_OF_CONNECTIONS=150 – Sets the limits of connections, 150 by default. If an IP connection does further connections than this limit, it will be blocked for a period set in the BAN_PERIOD statement.
  • BAN_PERIOD=600 – How long the IP address will be blocked out from our server if breaks the limit of number of connections. 10 minutes by default, you may change it to 3600 seconds (1 hour).
  • APF_BAN=1 – If it’s on (1), APF will be used. If you don’t have it installed, change it to 0 so it’ll use IPTables instead.

We’ll receive an e-mail notification every time an IP is bloqued.

You can also exclude IP from being banned (say you know the owner of that IP and that they do many connections) by entering it in /usr/local/ddos/ignore.ip.list .

Source | LaWebHosting

Categories: Internet, Linux Tags: , , , , , , ,
  1. No comments yet.
  1. No trackbacks yet.