Hi,
I'm opening this thread because lot of time I encountered heavy DDoS, DoS & other usual attacks, and after securing everything DoS issue still exists - till now!
Because we host some high-frequency-DoS-attack ( :D ) websites, I as sysadmin needed to improve server security as good as I know.
first install csf+LDF, that's a MUST HAVE with newer versions of cPanel
later you need to tweak settings for it...
so after you set everything right you sit down and enjoy few hours/days, and suddenly you receive message that httpd is down, and that lfd logged dos attack... everything seems ok, but again the same thing in few hours...
phone starts ringing, and bunch of clients starts to wonder why are their sites being temporary unaccessible...
So next time I logged on SSH and started to monitor connections- I received mail that lfd logged dos, it automatically puts attackers IP in deny list (iptables deny), but connections still exists...
So there I'm monitoring banned IP that's DoSing LFS's messenger (option to inform attacker that his IP is being blocked; not on port 80, but on some other port)
tip - useful tool to determine DoS attack:
So what to do? I can kill it's TCP connection by sending empty packages, but I don't have time to be in front of my laptop connected to ssh and react on every logged DoS attack (100+ a day after tweaking LFD)
so I searched through net and find useful tool to kill tcp connections
"tcpkill" in "dsniff" package -
(for rhel&CentOS...)
that tool runs perfect, but you still need to be there to execute it, and to put right IP in command...
So in next few hours I'll try to connect tcpkill with lfd, so when lfd logs DoS, then it'll run
"tcpkill host 123.234.345.456", and kill tcpkill after few minutes
so I hope that httpd will keep running after being heavily attacked.
P.S. I was tipping this post fast, so excuse me if you're not able to follow what I was thinking about while I was creating it :D
EDIT:
need to edit lfd.pl, so before doing anything better to ask program developers for opinion and permission to edit original files
ConfigServer Scripts Forum - View topic - ConnectionTracking CT improvement ?! urgent issue
I'm opening this thread because lot of time I encountered heavy DDoS, DoS & other usual attacks, and after securing everything DoS issue still exists - till now!
Because we host some high-frequency-DoS-attack ( :D ) websites, I as sysadmin needed to improve server security as good as I know.
first install csf+LDF, that's a MUST HAVE with newer versions of cPanel
later you need to tweak settings for it...
so after you set everything right you sit down and enjoy few hours/days, and suddenly you receive message that httpd is down, and that lfd logged dos attack... everything seems ok, but again the same thing in few hours...
phone starts ringing, and bunch of clients starts to wonder why are their sites being temporary unaccessible...
So next time I logged on SSH and started to monitor connections- I received mail that lfd logged dos, it automatically puts attackers IP in deny list (iptables deny), but connections still exists...
So there I'm monitoring banned IP that's DoSing LFS's messenger (option to inform attacker that his IP is being blocked; not on port 80, but on some other port)
tip - useful tool to determine DoS attack:
Code:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
So what to do? I can kill it's TCP connection by sending empty packages, but I don't have time to be in front of my laptop connected to ssh and react on every logged DoS attack (100+ a day after tweaking LFD)
so I searched through net and find useful tool to kill tcp connections
"tcpkill" in "dsniff" package -
Code:
yum install dsniff
that tool runs perfect, but you still need to be there to execute it, and to put right IP in command...
So in next few hours I'll try to connect tcpkill with lfd, so when lfd logs DoS, then it'll run
"tcpkill host 123.234.345.456", and kill tcpkill after few minutes
Code:
tcpkill host 123.234.345.456 & sleep 300; kill $!
P.S. I was tipping this post fast, so excuse me if you're not able to follow what I was thinking about while I was creating it :D
EDIT:
need to edit lfd.pl, so before doing anything better to ask program developers for opinion and permission to edit original files
ConfigServer Scripts Forum - View topic - ConnectionTracking CT improvement ?! urgent issue
Last edited: