The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF + LFD DoS Protection - Tips & Tricks for attacks ; tcpkill

Discussion in 'Security' started by Get-Host.net, Dec 15, 2010.

  1. Get-Host.net

    Get-Host.net Registered

    Joined:
    Dec 15, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi,
    I'm opening this thread because lot of time I encountered heavy DDoS, DoS & other usual attacks, and after securing everything DoS issue still exists - till now!

    Because we host some high-frequency-DoS-attack ( :D ) websites, I as sysadmin needed to improve server security as good as I know.
    first install csf+LDF, that's a MUST HAVE with newer versions of cPanel
    later you need to tweak settings for it...

    so after you set everything right you sit down and enjoy few hours/days, and suddenly you receive message that httpd is down, and that lfd logged dos attack... everything seems ok, but again the same thing in few hours...
    phone starts ringing, and bunch of clients starts to wonder why are their sites being temporary unaccessible...

    So next time I logged on SSH and started to monitor connections- I received mail that lfd logged dos, it automatically puts attackers IP in deny list (iptables deny), but connections still exists...
    So there I'm monitoring banned IP that's DoSing LFS's messenger (option to inform attacker that his IP is being blocked; not on port 80, but on some other port)

    tip - useful tool to determine DoS attack:
    Code:
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    So what to do? I can kill it's TCP connection by sending empty packages, but I don't have time to be in front of my laptop connected to ssh and react on every logged DoS attack (100+ a day after tweaking LFD)

    so I searched through net and find useful tool to kill tcp connections

    "tcpkill" in "dsniff" package -
    Code:
    yum install dsniff
    (for rhel&CentOS...)

    that tool runs perfect, but you still need to be there to execute it, and to put right IP in command...

    So in next few hours I'll try to connect tcpkill with lfd, so when lfd logs DoS, then it'll run
    "tcpkill host 123.234.345.456", and kill tcpkill after few minutes

    Code:
    tcpkill host 123.234.345.456 & sleep 300; kill $!
    so I hope that httpd will keep running after being heavily attacked.


    P.S. I was tipping this post fast, so excuse me if you're not able to follow what I was thinking about while I was creating it :D

    EDIT:

    need to edit lfd.pl, so before doing anything better to ask program developers for opinion and permission to edit original files

    ConfigServer Scripts Forum - View topic - ConnectionTracking CT improvement ?! urgent issue
     
    #1 Get-Host.net, Dec 15, 2010
    Last edited: Dec 15, 2010
  2. Get-Host.net

    Get-Host.net Registered

    Joined:
    Dec 15, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    re: CSF + LFD DoS Protection - Tips & Tricks for attacks ; tcpkill

    Non of admins od ConfigServer.com didn't answered yet, but I did some tests locally, and it seems everything works fine...

    !!!ONLY FOR LOCAL TESTING, MAY CAUSE "SERVER DOWN", because of that we are waiting ConfigServer team to answer something on out thread over there!

    Code:
    apt-get install dsniff
    or
    yum install dsniff
    
    *add sudo in front if you'r not root
    so in lfd.pl after line 2166:
    Code:
    		my @csftmpdeny = <IN>;
    		close (IN);
    		chomp @csftmpdeny;
    
    		foreach my $ip (keys %ipcnt) {
    			if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {
    #BELLOW THIS LINE
    
    you need to add this:
    Code:
    #####################################################
    my $timetokillx = 5; # time to run tcpkill command, and then to kill it
    my $attackforcex = 9; #(1-9); higher number = heavier kill type
    #################DO NOT TOUCH BELLOW#######################
    my $abcx='$!';
    system("bash", "-c","tcpkill -$attackforcex host $ip & sleep $timetokillx; kill $abcx"); 
    #####################################################
    so it looks like this:
    Code:
    ......................................
    		foreach my $ip (keys %ipcnt) {
    			if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {
    
    #####################################################
    my $timetokillx = 5; # time to run tcpkill command, and then to kill it
    my $attackforcex = 9; #(1-9); higher number = heavier kill type
    #################DO NOT TOUCH BELLOW#######################
    my $abcx='$!';
    system("bash", "-c","tcpkill -$attackforcex host $ip & sleep $timetokillx; kill $abcx");
    #####################################################
    
    				if ((grep {$_ =~ /^$ip\b/} @csfdeny) or (grep {$_ =~ /\|$ip\|\|/} @csftmpdeny)) {
    					if ($config{DEBUG} >= 1) {&logfile("debug: (CT) IP $ip found to have $ipcnt{$ip} connections - IP already blocked")}
    				} else {
    ......................................
    restart lfd

    Anyone other has opinion about this?
    I'm not Perl programmer, but scripting is similar to any other language, so I realy need others opinion about this.

    Also $timetokillx is set to 5 seconds, because not to delay any other job lfd needs to do.
    It would be better if $timetokillx is higher, but then tcpkill needs to run of this script not to cause any delay in executing...

    P.S. I just noticed that thread name misses letters T&K :D *Protection & *Tricks
     
    #2 Get-Host.net, Dec 18, 2010
    Last edited: Dec 18, 2010
Loading...

Share This Page