How this server is protected from DDoS attacks

I recently decided to switch away from CloudFlare and put my VPS directly on the internet.

In doing that, I lost DDoS protection, and in this post I will explain what I use instead and how you can configure it.

Apache

Apache actually has a bunch of modules you can install to prevent a DDoS attack and a slowloris attack. All you need to do is install them, which on Debian can be done with:

sudo apt install libapache2-mod-evasive libapache2-mod-qos

and now all that’s left is to configure a few config files. You can find these in

 /etc/apache2/mods-available/module.conf

so, to edit mod_evasive, edit

 sudo nano /etc/apache2/mods-available/evasive.conf

and you can now edit the config. Here are my settings:

 
    DOSHashTableSize    2048
    DOSPageCount        10
    DOSSiteCount        300
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   1800

    #DOSEmailNotify      nerdoflinux@gateblogs.com
    #DOSSystemCommand    "su - someuser -c '/sbin/... %s ...'"
    #Ban IP
    DOSSystemCommand    "sudo /usr/bin/evasiveblock.sh %s"
    DOSLogDir           "/var/log/mod_evasive"
    DOSWhiteList        myIPaddress

and in

 /usr/bin/evasiveblock.sh

, I have:

#!/bin/bash

IP=$1
email="nerdoflinux@gateblogs.com"
if [[ $IP =~ .*:.* ]]
then
   echo "IPv6 detected"
   IPTABLES=/sbin/ip6tables
else
  echo "IPv4 detected"
  IPTABLES=/sbin/iptables
fi

if ! $IPTABLES-save | grep -i "$IP" | grep "\-j DROP" >/dev/null 2>&1
then
        $IPTABLES -I INPUT -s $IP -j DROP
        echo "$IPTABLES -D INPUT -s $IP -j DROP" | at now + 2 hours
        printf "Dear Gate Blogs Admin,\n$IP has tried to take down your VPS with a DoS attack, but mod_evasive was able to ban them.\nRegards,\nYour VPS" | mail -s "DoS attack from $IP" "$email"
else
        echo "$IP already banned"
        exit
fi

All this basically does is when a DDoS attack is detected, it blocks the IP with iptables, and notifies me of the IP addresses. Also, you’ll want to make sure the

 www-data

user can write to the log folder, so use

 sudo chown -R www-data /var/log/mod_evasive

or whatever folder you decide to use. You’ll also need to allow

 www-data

to run iptables, so in the

 sudoers

file, have:

 www-data ALL=(ALL:ALL) NOPASSWD: /usr/bin/evasiveblock.sh

Rate Limiting

I also use rate limiting with iptables. I use UFW to block ports, so at the bottom of my

 /etc/ufw/before.rules

I have:

 -A INPUT -p tcp --syn -m connlimit --connlimit-above 15 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

which limits each IP to 15 connections(as far as I understand, it was copied from somewhere on the internet). All ports that I don’t need are blocked, so that takes care of any DoS attack not on the five ports I have open. You’ll also want to put that in

 /etc/ufw/before6.rules

for IPv6.

Fail2Ban and PSAD

I also have Fail2Ban and PSAD installed and configured. To install,

 sudo apt install fail2ban psad

and the config files are in

 /etc/fail2ban/jail.local

you need to make that file with

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

and the PSAD config is in

 /etc/psad/psad.conf

and both config files have pretty good comments in them, so you’ll know what you’re doing. If you need help with setting up PSAD, check out NerdOfCode’s post.

(Maybe)Related posts:

Leave a Reply

Be the First to Comment!

Notify of
avatar