CSF + LFD DoS Protection - Tips & Tricks for attacks ; tcpkill

Hi,
I'm opening this thread because lot of time I encountered heavy DDoS, DoS & other usual attacks, and after securing everything DoS issue still exists - till now!

Because we host some high-frequency-DoS-attack ( :D ) websites, I as sysadmin needed to improve server security as good as I know.
first install csf+LDF, that's a MUST HAVE with newer versions of cPanel
later you need to tweak settings for it...

so after you set everything right you sit down and enjoy few hours/days, and suddenly you receive message that httpd is down, and that lfd logged dos attack... everything seems ok, but again the same thing in few hours...
phone starts ringing, and bunch of clients starts to wonder why are their sites being temporary unaccessible...

So next time I logged on SSH and started to monitor connections- I received mail that lfd logged dos, it automatically puts attackers IP in deny list (iptables deny), but connections still exists...
So there I'm monitoring banned IP that's DoSing LFS's messenger (option to inform attacker that his IP is being blocked; not on port 80, but on some other port)

tip - useful tool to determine DoS attack:

Code:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

So what to do? I can kill it's TCP connection by sending empty packages, but I don't have time to be in front of my laptop connected to ssh and react on every logged DoS attack (100+ a day after tweaking LFD)

so I searched through net and find useful tool to kill tcp connections

"tcpkill" in "dsniff" package -

Code:

yum install dsniff

(for rhel&CentOS...)

that tool runs perfect, but you still need to be there to execute it, and to put right IP in command...

So in next few hours I'll try to connect tcpkill with lfd, so when lfd logs DoS, then it'll run
"tcpkill host 123.234.345.456", and kill tcpkill after few minutes

Code:

tcpkill host 123.234.345.456 & sleep 300; kill $!

so I hope that httpd will keep running after being heavily attacked.


P.S. I was tipping this post fast, so excuse me if you're not able to follow what I was thinking about while I was creating it :D

EDIT:

need to edit lfd.pl, so before doing anything better to ask program developers for opinion and permission to edit original files

ConfigServer Scripts Forum - View topic - ConnectionTracking CT improvement ?! urgent issue

 

re: CSF + LFD DoS Protection - Tips & Tricks for attacks ; tcpkill

Non of admins od ConfigServer.com didn't answered yet, but I did some tests locally, and it seems everything works fine...

!!!ONLY FOR LOCAL TESTING, MAY CAUSE "SERVER DOWN", because of that we are waiting ConfigServer team to answer something on out thread over there!

Code:

apt-get install dsniff
or
yum install dsniff

*add sudo in front if you'r not root

so in lfd.pl after line 2166:

Code:

		my @csftmpdeny = <IN>;
		close (IN);
		chomp @csftmpdeny;

		foreach my $ip (keys %ipcnt) {
			if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {
#BELLOW THIS LINE

you need to add this:

Code:

#####################################################
my $timetokillx = 5; # time to run tcpkill command, and then to kill it
my $attackforcex = 9; #(1-9); higher number = heavier kill type
#################DO NOT TOUCH BELLOW#######################
my $abcx='$!';
system("bash", "-c","tcpkill -$attackforcex host $ip & sleep $timetokillx; kill $abcx"); 
#####################################################

so it looks like this:

Code:

......................................
		foreach my $ip (keys %ipcnt) {
			if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {

#####################################################
my $timetokillx = 5; # time to run tcpkill command, and then to kill it
my $attackforcex = 9; #(1-9); higher number = heavier kill type
#################DO NOT TOUCH BELLOW#######################
my $abcx='$!';
system("bash", "-c","tcpkill -$attackforcex host $ip & sleep $timetokillx; kill $abcx");
#####################################################

				if ((grep {$_ =~ /^$ip\b/} @csfdeny) or (grep {$_ =~ /\|$ip\|\|/} @csftmpdeny)) {
					if ($config{DEBUG} >= 1) {&logfile("debug: (CT) IP $ip found to have $ipcnt{$ip} connections - IP already blocked")}
				} else {
......................................

restart lfd

Anyone other has opinion about this?
I'm not Perl programmer, but scripting is similar to any other language, so I realy need others opinion about this.

Also $timetokillx is set to 5 seconds, because not to delay any other job lfd needs to do.
It would be better if $timetokillx is higher, but then tcpkill needs to run of this script not to cause any delay in executing...

P.S. I just noticed that thread name misses letters T&K :D *Protection & *Tricks