These days, you can hire a DDoS attack on a site for as little as $15.
Which means, if someone holds a grudge against you, they can take down your site for the cost of a couple of coffees.
So, it goes without saying that your business site needs a shied against DDoS attacks.
But, is there a reliable solution against DDoS?
No, there is no perfect solution for DDoS, but we can prevent it to a great extent by securing the servers and networks.
At Bobcares, we help webmasters and service providers to harden and secure their servers as part of our Server Management Services.
Today, let’s discuss how we setup CentOS DDoS protection.
What is DDoS?
Before we move to the steps for CentOS DDoS protection, let’s see what DDoS is.
DDoS(Distributed Denial Of Service) is an advanced version of DoS(Denial Of Service).
Architecture of DDoS attack
In other words, DDoS tries to deny the important services that run on the server by sending enormous traffic to the destination server, so that the server can’t handle them.
Attackers use security holes in the servers(vulnerable applications, outdated software, etc.), to silently install DDoS tools like HULK, LOIC, etc.
So, this leads to server downtime, reputation damage, financial loss, and so on.
Therefore, DDoS protection is really important in all servers.
CentOS DDoS protection – 12 easy steps!!
Now, let’s discuss how our Server Administration Team enable DDoS protection in CentOS servers.
1) Software firewall
Firstly, we setup software firewalls such as APF, CSF, etc.
But, the efficiency lies in how we tweak the firewall configuration parameters.
To mitigate DDoS attacks, our Security Engineers tweak certain parameters in the firewall configuration file.
For example, in APF, we set the below parameter in the configuration file “/etc/apf/conf.apf” to enable Antidos feature.
USE_AD="1"
In addition to that, since Antidos is intended to operate via cron, we always ensure that Antidos cron job is properly set.
Likewise in CSF, we enable and tweak the parameters such as SYNFLOOD and PORTFLOOD to prevent DDoS attacks.
Moreover, we tweak the CSF parameters such as CT_LIMIT and CT_INTERVAL to limit the number of connections.
2) Configure iptables
In some cases, our Server Experts use iptables to tackle DDoS attacks.
DDoS can be of different kinds – SYN flood, invalid requests, countless UDP packets, and so on and hence we got various kinds of attacks here.
So, to mitigate each of these attacks, we use different iptables rules each to mitigate different kind of requests.
For example, we use the below iptables rule to block invalid packets.
iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
Likewise, CentOS 7 uses a recent version of iptables and supports the new SYNPROXY target.
SYNPROXY checks whether the host that sent the SYN packet establishes a TCP connection. If not, it discards that packet.
At Bobcares, we help server owners set iptables rules to effectively mitigate DDoS attacks.
[Are you fed up with DDoS attacks on your server? Our Server Administration Team is here for your help!!]
3) DDoS deflate
For server owners with limited number of websites, our Support Engineers recommend installing DDoS deflate tool.
DDoS deflate is a bash script to block DDoS attacks.
The script uses netstat command to track the IP addresses that connect to the server.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
And, if the number of connection exceeds the threshold limit, it automatically blocks that IP in firewall.
Further, we tweak DDoS deflate configuration file “/usr/local/ddos/ddos.conf” to adjust the parameters like threshold connection value, frequency at which this script runs, etc. to effectively tackle DDoS issues.
4) Install mod_evasive Apache module
The mod-evasive Apache module is another effective method that our Server Experts implement in CentOS DDoS protection.
It acts in the event of an HTTP DDoS attack or brute force attack.
It blacklists the IP addresses that make more than 50 concurrent requests, and requests same page more than a few times per second.
Further, we tweak the below mod_evasive parameters in the “/etc/httpd/conf.d/mod_evasive.conf” configuration file, based on the server configuration and traffic flows.
DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10
5) Install mod_security
DDoS attackers usually target HTTP.
So, it’s good to have a filtering system for apache, that filters the requests before web server handles it.
Mod_security is a web application firewall with different set of protection rules.
It inspects incoming HTTP traffic using these protection rules, and reliably blocks unwanted malicious traffic.
At Bobcares, we help server owners install mod_security in their servers.
In addition to that, we create custom protection rules and add them to the mod_security configuration file “/usr/local/apache/conf/mod_security.conf“.
6) Install AIDE
AIDE(Advance Intrusion Detection Environment) is one of the intrusion detection systems in CentOS.
AIDE checks the modification time and integrity of the files or folders and notifies you.
In other words, if an attacker places a malware on your system, AIDE identifies it and notifies you.
Our Security Engineers, runs scheduled AIDE checks by setting up a cron job in the server.
7) Install Fail2ban
Another effective method for DDoS protection in CentOS servers is Fail2ban.
Fail2ban scans the server logs, and blocks the malicious IP addresses in the network level.
The Fail2ban configuration file is “/etc/fail2ban/jail.local“, which contains pre-defined filters for various services.
And, it uses these filters and check them with the log files. If there are matches that go beyond the threshold, it blocks the source IP address.
Our Security Engineers assist server owners to install Fail2ban and configure jails.
These jails hold custom configuration settings like below to protect the servers from brute force attacks.
ignoreip = 127.0.0.1 bantime = 240 findtime = 240 maxretry = 10
[Need to secure your server with Fail2ban? Our Security Engineers can definitely help you!!]
8) Implement sysctl based protection
Sysctl based protection is one of the key steps that our Security Engineers take during server hardening.
Sysctl is an interface to make changes to the running Linux kernel, and we configure the Linux networking and system settings in /etc/sysctl.conf.
Most importantly, we focus on the following sysctl.conf parameters.
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
The first parameter allows protection against IP spoofing, and the second allows TCP SYN Cookie protection.
Further, we add the following code in /etc/rc.local and restart the network.
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
9) Restricting User rights
Another important step in Centos DDoS protection is to limit the user privileges on the server.
a) Disable direct root login
Firstly, we disable direct root login to the server.
Because, root is the known existing account and hackers try to brute force to the server with this user.
So, we setup another user and allow sudo privileges to it.
Therefore, this sudo user can function like the root user.
In some cases, we disable root login in the SSH configuration file /etc/ssh/sshd_config using the below command.
PermitRootLogin no
b) Setup key based access
Another important security step for CentOS DDoS protection is to enable key based access to the server.
In other words, users can’t access the server with username and password authentication.
Instead, we setup secure key pairs to authenticate a client to an SSH server.
As a result, it reduces the risk of attacking the server using guessed passwords.
c) Set custom SSH port
Having SSH service on the standard ports is a terrible security risk, because attackers guess and gain access in a first few tries.
Therefore, during server hardening, our Security Engineers always change the SSH port from 22 to some other custom ports.
10) Conduct regular security audits
Above all, you should regularly audit your systems and network.
At Bobcares, we have a Server Administration Team that check the server for vulnerabilities on a regular basis.
We use tools like Rkhunter, chkrootkit, etc. to find rootkits, backdoors, exploits, changed binaries, etc. in the server.
Moreover, we use tools like Nmap, Nessus, etc. to perform network vulnerability audits.
Also, we maintain a checklist covering all security aspects of a server such as software vulnerability, kernel upgrades, open ports, etc.
[Thinking about server hardening and regular server audits? Protect your server with 24/7 monitoring and maintenance by experienced Support Engineers.]
11) Manual Blocking
When the server is down due to a DDoS attack, manual blocking of offending IPs also help.
In order to identify the offending IP, our Security Engineers use a couple of commands.
For example, look at the command below.
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
This command gives us an idea of the top IP addresses that connect to the server via TCP/UDP.
In our experience, if the number of packets from an IP is less than 50, it’s normal, and if it’s more than 200, it’s mostly a DDoS attack.
12) Setup Load balancer
Another best way to defend against DDoS is to setup a Load balancer on servers.
Load balancers add flexibility by re-routing live traffic from one server to another if a server is under DDoS or becomes unavailable.
As a result, it eliminates single failure point and reduces the exposure to attack.
At Bobcares, our Server Administration Team helps server owners setup Load balancer on their servers.
In addition to that, we tweak parameters like number of connections per user, http request timeout setting, etc. to mitigate DDoS attacks.
Conclusion
In short, DDoS attacks can really freeze websites. There’s no perfect solution for DDoS, but we can prevent it to a great extent by securing the servers and networks. Today, we’ve seen the 12 different steps for CentOS DDoS protection and how our Server Administration Team implement them.
0 Comments