How this server is protected from DDoS attacks

Internet Linux/Linux Tutorials Security WordPress

I recently decided to switch away from CloudFlare and put my VPS directly on the internet.

In doing that, I lost DDoS protection, and in this post I will explain what I use instead and how you can configure it.

Apache

Apache actually has a bunch of modules you can install to prevent a DDoS attack and a slowloris attack. All you need to do is install them, which on Debian can be done with:

sudo apt install libapache2-mod-evasive libapache2-mod-qos

and now all that’s left is to configure a few config files. You can find these in

 /etc/apache2/mods-available/module.conf

so, to edit mod_evasive, edit

 sudo nano /etc/apache2/mods-available/evasive.conf

and you can now edit the config. Here are my settings:

 
    DOSHashTableSize    2048
    DOSPageCount        10
    DOSSiteCount        300
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   1800

    #DOSEmailNotify      nerdoflinux@gateblogs.com
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    #Ban IP
    DOSSystemCommand    "sudo /usr/bin/evasiveblock.sh %s"
    DOSLogDir           "/var/log/mod_evasive"
    DOSWhiteList        myIPaddress

and in

 /usr/bin/evasiveblock.sh

, I have:

#!/bin/bash

IP=$1
email="nerdoflinux@gateblogs.com"
if [[ $IP =~ .*:.* ]]
then
   echo "IPv6 detected"
   IPTABLES=/sbin/ip6tables
else
  echo "IPv4 detected"
  IPTABLES=/sbin/iptables
fi

if ! $IPTABLES-save | grep -i "$IP" | grep "\-j DROP" >/dev/null 2>&1
then
        $IPTABLES -I INPUT -s $IP -j DROP
        echo "$IPTABLES -D INPUT -s $IP -j DROP" | at now + 2 hours
        printf "Dear Gate Blogs Admin,\n$IP has tried to take down your VPS with a DoS attack, but mod_evasive was able to ban them.\nRegards,\nYour VPS" | mail -s "DoS attack from $IP" "$email"
else
        echo "$IP already banned"
        exit
fi

All this basically does is when a DDoS attack is detected, it blocks the IP with iptables, and notifies me of the IP addresses. Also, you’ll want to make sure the

 www-data

user can write to the log folder, so use

 sudo chown -R www-data /var/log/mod_evasive

or whatever folder you decide to use. You’ll also need to allow

 www-data

to run iptables, so in the

 sudoers

file, have:

 www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/evasiveblock.sh

Rate Limiting

I also use rate limiting with iptables. I use UFW to block ports, so at the bottom of my

 /etc/ufw/before.rules

I have:

 -A INPUT -p tcp --syn -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

which limits each IP to 15 connections(as far as I understand, it was copied from somewhere on the internet). All ports that I don’t need are blocked, so that takes care of any DoS attack not on the five ports I have open. You’ll also want to put that in

 /etc/ufw/before6.rules

for IPv6.

Fail2Ban and PSAD

I also have Fail2Ban and PSAD installed and configured. To install,

 sudo apt install fail2ban psad

and the config files are in

 /etc/fail2ban/jail.local

you need to make that file with

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and the PSAD config is in

 /etc/psad/psad.conf

and both config files have pretty good comments in them, so you’ll know what you’re doing. If you need help with setting up PSAD, check out NerdOfCode’s post.

Leave a Reply