Securizare server CentOS 6.4 (64bit) - DoS Attack

Am un server cu CentOS 6.4 / 64bit si de cateva ore bune (cred ca) sunt tinta unui atac DoS.

Va dau cateva randuri din LOG-uri:

29-Oct-2013 18:46:01.464 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:01.796 client 98.177.228.39#37734: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:01.804 client 190.210.176.4#4532: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:01.937 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:02.003 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:02.159 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:02.242 client 98.177.228.39#13514: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:02.617 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:02.687 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:02.853 client 185.4.149.15#11373: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:02.896 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:03.316 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:04.026 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:04.098 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:04.763 client 2.88.107.51#15934: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:04.812 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:05.022 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:05.264 client 190.210.176.254#6516: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:05.469 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:05.537 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:05.690 client 190.210.176.253#55662: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:05.690 client 190.210.176.253#30200: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:05.693 client 2.88.107.51#39585: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:05.697 client 190.210.176.4#23011: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:05.729 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:06.005 client 2.88.107.51#7206: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:06.010 client 2.88.107.51#25117: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:06.161 client 91.121.220.207#50650: query (cache) 'a.packetdevil.com/A/IN' denied
29-Oct-2013 18:46:06.161 client 91.121.220.207#43183: query (cache) 'a.packetdevil.com/A/IN' denied
29-Oct-2013 18:46:06.168 client 91.121.220.207#50534: query (cache) 'a.packetdevil.com/A/IN' denied
29-Oct-2013 18:46:06.182 client 91.121.220.207#10125: query (cache) 'a.packetdevil.com/A/IN' denied
29-Oct-2013 18:46:06.192 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:06.264 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:06.390 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:06.544 client 91.121.220.207#32801: query (cache) 'a.packetdevil.com/A/IN' denied
29-Oct-2013 18:46:06.666 client 91.121.220.207#6145: query (cache) 'a.packetdevil.com/A/IN' denied
29-Oct-2013 18:46:06.691 client 91.121.220.207#46949: query (cache) 'a.packetdevil.com/A/IN' denied
29-Oct-2013 18:46:06.925 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:06.997 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:07.062 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:07.680 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:07.753 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:08.003 client 2.88.107.51#12735: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:08.399 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied
29-Oct-2013 18:46:08.440 client 190.210.176.253#52158: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:08.444 client 190.210.176.253#32149: query (cache) 'pkts.asia/ANY/IN' denied
29-Oct-2013 18:46:09.143 client 192.99.5.169#25345: query (cache) 'isc.org/ANY/IN' denied

... si logurile acestea sunt interminabile ...

Ei bine, log-urile astea "curg" cu o repeziciune de nedescris !!! Load-ul a urcat la vreo 31~40, cand din conditii normale de utilizare statea undeva la vreo 0.50 ...
Am pus un firewall IPTABLES combinat cu Fail2Ban ... Fail2Ban a inceput sa dea ban-uri in nestire, cred ca da cate un ban la fiecare 3~5 secunde ... dar, atacurile continua si load-ul pe server ramane.

in IPTABLES au inceput sa apara IP-urile:

Chain fail2ban-Named (1 references)
num target	 prot opt source			 destination
1 REJECT	 all -- 86.127.118.226	 0.0.0.0/0		 reject-with icmp-port-unreachable
2 REJECT	 all -- 192.99.5.169		 0.0.0.0/0		 reject-with icmp-port-unreachable
3 REJECT	 all -- 190.210.176.3	 0.0.0.0/0		 reject-with icmp-port-unreachable
4 REJECT	 all -- 94.14.219.166	 0.0.0.0/0		 reject-with icmp-port-unreachable
5 REJECT	 all -- 109.219.158.175	 0.0.0.0/0		 reject-with icmp-port-unreachable
6 REJECT	 all -- 81.110.18.179	 0.0.0.0/0		 reject-with icmp-port-unreachable
7 REJECT	 all -- 82.77.157.6		 0.0.0.0/0		 reject-with icmp-port-unreachable
8 REJECT	 all -- 62.50.35.247		 0.0.0.0/0		 reject-with icmp-port-unreachable
9 REJECT	 all -- 37.59.56.164		 0.0.0.0/0		 reject-with icmp-port-unreachable
10 REJECT	 all -- 2.88.107.51		 0.0.0.0/0		 reject-with icmp-port-unreachable
11 REJECT	 all -- 82.77.157.2		 0.0.0.0/0		 reject-with icmp-port-unreachable
12 REJECT	 all -- 64.94.238.15		 0.0.0.0/0		 reject-with icmp-port-unreachable
13 REJECT	 all -- 178.63.95.7		 0.0.0.0/0		 reject-with icmp-port-unreachable
14 REJECT	 all -- 190.210.177.254	 0.0.0.0/0		 reject-with icmp-port-unreachable
15 REJECT	 all -- 193.231.100.22	 0.0.0.0/0		 reject-with icmp-port-unreachable
16 REJECT	 all -- 190.210.177.253	 0.0.0.0/0		 reject-with icmp-port-unreachable
17 REJECT	 all -- 82.76.252.18		 0.0.0.0/0		 reject-with icmp-port-unreachable
18 REJECT	 all -- 83.21.79.252		 0.0.0.0/0		 reject-with icmp-port-unreachable
19 REJECT	 all -- 109.99.188.88	 0.0.0.0/0		 reject-with icmp-port-unreachable
20 REJECT	 all -- 74.125.189.23	 0.0.0.0/0		 reject-with icmp-port-unreachable
21 REJECT	 all -- 190.210.177.252	 0.0.0.0/0		 reject-with icmp-port-unreachable
22 REJECT	 all -- 193.231.100.37	 0.0.0.0/0		 reject-with icmp-port-unreachable
23 REJECT	 all -- 81.196.14.134	 0.0.0.0/0		 reject-with icmp-port-unreachable
24 REJECT	 all -- 190.210.177.234	 0.0.0.0/0		 reject-with icmp-port-unreachable
25 RETURN	 all -- 0.0.0.0/0		 0.0.0.0/0

Deci, presupun ca Fail2Ban isi face treaba ... totusi, de ce nu blocheaza atacul ?

Am facut si un filmulet DEMO, sa va dati seama. Daca observati in coltul din dreapta-jos, apar mailurile primite unul dupa celalalt, care ma anunta ca Fail2Ban "a mai banat un IP". Baneaza asta in nestire, si tot degeaba

[ https://www.youtube-nocookie.com/embed/8DjLnx5CJbI?feature=oembed - Pentru incarcare in pagina (embed) Click aici ]

Astept sugestiile celor mai "avansati" in domeniu ...

Edited by dan74mm, 29 October 2013 - 17:08.

Fii atent ca au mai fost atacati si altii in mod similar. Uite aici cum au rezolvat
http://foxpa.ws/tag/...ial-of-service/

Vezi ca domeniile difera putin.

@ Bodanel: - Ok, si regulile astea le pun in firewallul de pe router ? Sau in firewallul de pe serverul care este atacat ?

#!/bin/bash
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|1b323031336e69616e636875616e7169736966756661627577616e67076164736634327703636f6d|' -j DROP # -m comment "DROP DNS Q 2013nianchuanqisifufabuwang.adsf42w.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|077375636b64646702636300|' -j DROP # -m comment "DROP DNS Q suckddq.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076e61706966756e03636f6d|' -j DROP # -m comment "DROP DNS Q napifun.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0768616b34756d7a036e6574|' -j DROP # -m comment "DROP DNS Q hak4umz.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|06616e6f6e736303636f6d00|' -j DROP # -m comment "DROP DNS Q anonsc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0331783102637a0000ff0001|' -j DROP # -m comment "DROP DNS Q ANY 1x1.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|056266686d6d03636f6d000010000100|' -j DROP # -m comment "DROP DNS Q TXT bfhmm.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org dns.id"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076564656c696f6e02737500|' -j DROP # -m comment "DROP DNS Q edelion.su"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0432736f65027275|' -j DROP # -m comment "DROP DNS Q 2soe.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0472697065036e657400|' -j DROP # -m comment "DROP DNS Q ripe.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0968697a62756c6c6168026d6500|' -j DROP # -m comment "DROP DNS Q hizbullah.me"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|11657667656e69792d6d61726368656e6b6f02636300|' -j DROP # -m comment "DROP DNS Q evgeniy-marchenko.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057372766974036f726700|' -j DROP # -m comment "DROP DNS Q srvit.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|046a756e6b087468657977616e7402696e00|' -j DROP # -m comment "DROP DNS Q junk.theywant.in"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0374787408707773657276657203636f6d02756100|' -j DROP # -m comment "DROP DNS Q txt.pwserver.com.ua"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0469657466036f726700|' -j DROP # -m comment "DROP DNS Q ietf.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0371686102636300|' -j DROP # -m comment "DROP DNS Q qha.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|066c61326c6f7702636300|' -j DROP # -m comment "DROP DNS Q la2low.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057a7a67737403636f6d00|' -j DROP # -m comment "DROP DNS Q zzgst.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|01610B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q a.packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0778706c6f64696e03636f6d00|' -j DROP # -m comment "DROP DNS Q xplodin.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0261610661736433736303636f6d00|' -j DROP # -m comment "DROP DNS Q aa.asd3sc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0962697473747265737303636f6d00|' -j DROP # -m comment "DROP DNS Q bitstress.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|026161066d6d7461633103636f6d00|' -j DROP # -m comment "DROP DNS Q aa.mmtac1.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0C6b696464793332333336353502727500|' -j DROP # -m comment "DROP DNS Q kiddy3233655.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05643639393103636f6d00|' -j DROP # -m comment "DROP DNS Q d6991.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0661613332343703636f6d00|' -j DROP # -m comment "DROP DNS Q aa3247.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08666b666b666b666103636f6d00|' -j DROP # -m comment "DROP DNS Q fkfkfkfa.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A677261707079626c6f6703636f6d00|' -j DROP # -m comment "DROP DNS Q grappyblog.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05636d69756903636f6d00|' -j DROP # -m comment "DROP DNS Q cmiui.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05346677686b03636f6d00|' -j DROP # -m comment "DROP DNS Q 4fwhk.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0673616e64696103676f7600|' -j DROP # -m comment "DROP DNS Q sandia.gov"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A7a61696b617061696b6103636f6d00|' -j DROP # -m comment "DROP DNS Q zaikapaika.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08766572697369676e03636f6d00|' -j DROP # -m comment "DROP DNS Q verisign.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0473656d6102637a00|' -j DROP # -m comment "DROP DNS Q sema.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|04706b7473046173696100|' -j DROP # -m comment "DROP DNS Q pkts.asia"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A69726c77696e6e696e6703636f6d00|' -j DROP # -m comment "DROP DNS Q irlwinning.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|053337397a6303636f6d00|' -j DROP # -m comment "DROP DNS Q 379zc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333630383804696e666f00|' -j DROP # -m comment "DROP DNS Q 36088.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|067478743430390874656b6a65746f6e03636f6d00|' -j DROP # -m comment "DROP DNS Q txt409.tekjeton.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0D73757065726d65676174727565056d6364697202727500|' -j DROP # -m comment "DROP DNS Q supermegatrue.mcdir.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333032353904696e666f00|' -j DROP # -m comment "DROP DNS Q 30259.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0762616279776f7702636f02756b00|' -j DROP # -m comment "DROP DNS Q babywow.co.uk"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333633373204696e666f00|' -j DROP # -m comment "DROP DNS Q 36372.info"

Fail2ban este folosit de obicei impreuna cu ssh, daca la X incercari de conectare nereusite prin ssh la masina fail2ban adauga IPul sursa la lista de IPuri "banate" de iptables. In cazul tau nu prea te ajuta fail2ban. Incearca sa limitezi numarul de pachete pe secunda primite, nu garantez ca te ajuta sau cat te ajuta insa poti incerca.

Regulile le pui pe router. Ca si regula: cand te ataca cineva ideea este sa-l blochezi cat mai departe de tine. Adica pe router. Sau daca ai pile la isp poti vorbi cu ei .

Pe acelasi server (cel atacat), am avut inainte cu cateva zile, un CentOS 5.x ...

Cu CentOS 5.x pe serverul atacat, aveam urmatoarea problema: pe router (router care e pe un CentOS 5), aveam acest mesaj: "ip_conntrack: table full, dropping packet" si mergea ca porcu' toata reteaua ...
Acum, cu CentOS 6.4 pe serverul atacat, nu mai primesc aceste mesaje de eroare in LOG-uri, reteaua merge ok, insa serverul atacat este de nefolosit ...
Sa raman pe serverul atacat cu CentOS 6.4, ori sa trec inapoi la CentOS 5.x ?

Edited by dan74mm, 30 October 2013 - 10:44.

Ramai cu ultima versiune si limiteaza nr de conexiuni. Daca atacul persista, va trebui sa vb mai sus pt a bloca atacul.

Well, daca pe CentOS 5.x aveam problema cu ip_conntrack-ul (dar, macar cu CentOS 5.x serverul a ramas in picioare, mergea), ei bine ... CentOS-ul 6.4 mi l-au zapacit de tot! Pe CentOS 6.x, altminteri "proaspat" instalat de la 0, pe langa problemele pe care le avusesem pe CentOS 5, mai aveam si vreo 20~30 de procese ZIP care arhivau intr-o veselie. Led-ul rosu de la hard-disk pur si simplu nu se mai stingea, era aprins continuu iar serverul arhiva de zor ... Ce ? Nu stiu, habar n-am ... si nici n-am mai stat sa-mi bat capul cu el. Loadul pe server ajunsese la vreo 40~50, etc ... o adevarat istorie.

Am radiat tot hard diskul (din nou) si am pus iarasi un CentOS 5. Am refacut toate setarile (inclusiv firewallul cu IPTABLES), dupa care am pus pe router regulile acestea: http://forum.softped.../#entry14030176
Restart la toate masinile si ... ochii beliti prin SSH-uri sa vad ce se intampla. A inceput sa "sughite" routerul de cateva ori, dar dupa vreo doua ore ... a revenit inapoi la "load 00" si acum ... merge ca uns ... atat routerul cat si serverul atacat. Ce-i drept, routerul e destul de "robust" - un Xeon Quad Core la vreo 3 GHz si cu 4 GB RAM.

Ce am facut in plus: pe serverul atacat aveam "dns recursion = on", l-am pus pe "off". Cam asta e singura chestie "in plus", facuta pe serverul atacat si impreuna cu regulile mai sus amintite, puse pe router, am scapat in sfarsit ....


Multumesc mult celor care mi-au raspuns si in special lui Bodanel care mi-a dat solutia. Sper sa nu aveti probleme de acest gen, anyway daca sa intampla si la voi, v-am spus cum am reusit sa rezolv eu ...

Merci inca o data ! I'm happy, in sfarsit!

Edited by dan74mm, 05 November 2013 - 20:03.

A studiat cineva metoda asta Anti-DOS ? http://deflate.medialayer.com/

Ma voi juca un pic cu el diseara cand voi intra in tura. Am luat jucaria (scriptul) si voi testa diseara. Sper sa am ceva rezultate atunci.

Astept sa vad ce parere ai ... Daca zici ca e bun si e "safe", il pun si eu ...

Am incercat ceva ceva sa fac insa nu a iesit nimic deci cu am ce sa comentez pe seama scriptului de mai sus. Nu garantez ca functioneaza dar nici ca nu functioneaza.

Ai studiat putin scriptul ? http://www.inetbase....ts/ddos/ddos.sh

Banuiesc ca ai ceva VPS de test ... ?!

Edited by dan74mm, 14 November 2013 - 23:19.

Pe script inca nu m-am uitat sa vad ce face. Banuiesc ca odata rulat cronjob-ul daca se sare de limita setata in conf pune o regula in iptables pentru IPul care are X conexiuni deschise cu masina gazda. Nu am VPS. Dar cum lucrez la un ISP am masini de pe care pot sa fac teste iar in cazuri de urgenta am laptopul din dotare plus masina de la munca plus masina de pe care fac teste colegii de departament.

PS: Mai incolo voi arunca un ochi pe script.