Need help?

Our experts have had an average response time of 13.14 minutes in February 2024 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

CentOS DDoS protection – A guide to secure your server from DDoS!

by | Dec 8, 2018

These days, you can hire a DDoS attack on a site for as little as $15.

Which means, if someone holds a grudge against you, they can take down your site for the cost of a couple of coffees.

So, it goes without saying that your business site needs a shied against DDoS attacks.

But, is there a reliable solution against DDoS?

No, there is no perfect solution for DDoS, but we can prevent it to a great extent by securing the servers and networks.

At Bobcares, we help webmasters and service providers to harden and secure their servers as part of our Server Management Services.

Today, let’s discuss how we setup CentOS DDoS protection.

 

What is DDoS?

Before we move to the steps for CentOS DDoS protection, let’s see what DDoS is.

DDoS(Distributed Denial Of Service) is an advanced version of DoS(Denial Of Service).

centos ddos protection

Architecture of DDoS attack

 

In other words, DDoS tries to deny the important services that run on the server by sending enormous traffic to the destination server, so that the server can’t handle them.

Attackers use security holes in the servers(vulnerable applications, outdated software, etc.), to silently install DDoS tools like HULK, LOIC, etc.

So, this leads to server downtime, reputation damage, financial loss, and so on.

Therefore, DDoS protection is really important in all servers.

 

CentOS DDoS protection – 12 easy steps!!

Now, let’s discuss how our Server Administration Team enable DDoS protection in CentOS servers.

1) Software firewall

Firstly, we setup software firewalls such as APF, CSF, etc.

But, the efficiency lies in how we tweak the firewall configuration parameters.

To mitigate DDoS attacks, our Security Engineers tweak certain parameters in the firewall configuration file.

For example, in APF, we set the below parameter in the configuration file “/etc/apf/conf.apfto enable Antidos feature.

USE_AD="1"

 

In addition to that, since Antidos is intended to operate via cron, we always ensure that Antidos cron job is properly set.

Likewise in CSF, we enable and tweak the parameters such as SYNFLOOD and PORTFLOOD to prevent DDoS attacks.

Moreover, we tweak the CSF parameters such as CT_LIMIT and CT_INTERVAL to limit the number of connections.

 

2) Configure iptables

In some cases, our Server Experts use iptables to tackle DDoS attacks.

DDoS can be of different kinds – SYN flood, invalid requests, countless UDP packets, and so on and hence we got various kinds of attacks here.

So, to mitigate each of these attacks, we use different iptables rules each to mitigate different kind of requests.

For example, we use the below iptables rule to block invalid packets.

iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP

 

Likewise, CentOS 7 uses a recent version of iptables and supports the new SYNPROXY target.

SYNPROXY checks whether the host that sent the SYN packet establishes a TCP connection. If not, it discards that packet.

At Bobcares, we help server owners set iptables rules to effectively mitigate DDoS attacks.

[Are you fed up with DDoS attacks on your server? Our Server Administration Team is here for your help!!]

3) DDoS deflate

For server owners with limited number of websites, our Support Engineers recommend installing DDoS deflate tool.

DDoS deflate is a bash script to block DDoS attacks.

The script uses netstat command to track the IP addresses that connect to the server.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

 

And, if the number of connection exceeds the threshold limit, it automatically blocks that IP in firewall.

Further, we tweak DDoS deflate configuration file “/usr/local/ddos/ddos.conf” to adjust the parameters like threshold connection value, frequency at which this script runs, etc. to effectively tackle DDoS issues.

 

4) Install mod_evasive Apache module

The mod-evasive Apache module is another effective method that our Server Experts implement in CentOS DDoS protection.

It acts in the event of an HTTP DDoS attack or brute force attack.

It blacklists the IP addresses that make more than 50 concurrent requests, and requests same page more than a few times per second.

Further, we tweak the below mod_evasive parameters in the “/etc/httpd/conf.d/mod_evasive.conf” configuration file, based on the server configuration and traffic flows.

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

 

5) Install mod_security

DDoS attackers usually target HTTP.

So, it’s good to have a filtering system for apache, that filters the requests before web server handles it.

Mod_security is a web application firewall with different set of protection rules.

It inspects incoming HTTP traffic using these protection rules, and reliably blocks unwanted malicious traffic.

At Bobcares, we help server owners install mod_security in their servers.

In addition to that, we create custom protection rules and add them to the mod_security configuration file “/usr/local/apache/conf/mod_security.conf“.

 

6) Install AIDE

AIDE(Advance Intrusion Detection Environment) is one of the intrusion detection systems in CentOS.

AIDE checks the modification time and integrity of the files or folders and notifies you.

In other words, if an attacker places a malware on your system, AIDE identifies it and notifies you.

Our Security Engineers, runs scheduled AIDE checks by setting up a cron job in the server.

7) Install Fail2ban

Another effective method for DDoS protection in CentOS servers is Fail2ban.

Fail2ban scans the server logs, and blocks the malicious IP addresses in the network level.

The Fail2ban configuration file is “/etc/fail2ban/jail.local“, which contains pre-defined filters for various services.

And, it uses these filters and check them with the log files. If there are matches that go beyond the threshold, it blocks the source IP address.

Our Security Engineers assist server owners to install Fail2ban and configure jails.

These jails hold custom configuration settings like below to protect the servers from brute force attacks.

ignoreip = 127.0.0.1
bantime = 240
findtime = 240
maxretry = 10

 

[Need to secure your server with Fail2ban? Our Security Engineers can definitely help you!!]

8) Implement sysctl based protection

Sysctl based protection is one of the key steps that our Security Engineers take during server hardening.

Sysctl is an interface to make changes to the running Linux kernel, and we configure the Linux networking and system settings in /etc/sysctl.conf.

Most importantly, we focus on the following sysctl.conf parameters.

net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1

 

The first parameter allows protection against IP spoofing, and the second allows TCP SYN Cookie protection.

Further, we add the following code in /etc/rc.local and restart the network.

for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do echo 1 > done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

 

9) Restricting User rights

Another important step in Centos DDoS protection is to limit the user privileges on the server.

a) Disable direct root login

Firstly, we disable direct root login to the server.

Because, root is the known existing account and hackers try to brute force to the server with this user.

So, we setup another user and allow sudo privileges to it.

Therefore, this sudo user can function like the root user.

In some cases, we disable root login in the SSH configuration file /etc/ssh/sshd_config  using the below command.

PermitRootLogin no

 

b) Setup key based access

Another important security step for CentOS DDoS protection is to enable key based access to the server.

In other words, users can’t access the server with username and password authentication.

Instead, we setup secure key pairs to authenticate a client to an SSH server.

As a result, it reduces the risk of attacking the server using guessed passwords.

c) Set custom SSH port

Having SSH service on the standard ports is a terrible security risk, because attackers guess and gain access in a first few tries.

Therefore, during server hardening, our Security Engineers always change the SSH port from 22 to some other custom ports.

10) Conduct regular security audits

Above all, you should regularly audit your systems and network.

At Bobcares, we have a Server Administration Team that check the server for vulnerabilities on a regular basis.

We use tools like Rkhunter, chkrootkit, etc. to find rootkits, backdoors, exploits, changed binaries, etc. in the server.

Moreover, we use tools like Nmap, Nessus, etc. to perform network vulnerability audits.

Also, we maintain a checklist covering all security aspects of a server such as software vulnerability, kernel upgrades, open ports, etc.

 

[Thinking about server hardening and regular server audits? Protect your server with 24/7 monitoring and maintenance by experienced Support Engineers.]

11) Manual Blocking

When the server is down due to a DDoS attack, manual blocking of offending IPs also help.

In order to identify the offending IP, our Security Engineers use a couple of commands.

For example, look at the command below.

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

 

This command gives us an idea of the top IP addresses that connect to the server via TCP/UDP.

In our experience, if the number of packets from an IP is less than 50, it’s normal, and if it’s more than 200, it’s mostly a DDoS attack.

 

12) Setup Load balancer

Another best way to defend against DDoS is to setup a Load balancer on servers.

Load balancers add flexibility by re-routing live traffic from one server to another if a server is under DDoS or becomes unavailable.

As a result, it eliminates single failure point and reduces the exposure to attack.

At Bobcares, our Server Administration Team helps server owners setup Load balancer on their servers.

In addition to that, we tweak parameters like number of connections per user, http request timeout setting, etc. to mitigate DDoS attacks.

 

Conclusion

In short, DDoS attacks can really freeze websites. There’s no perfect solution for DDoS, but we can prevent it to a great extent by securing the servers and networks. Today, we’ve seen the 12 different steps for CentOS DDoS protection and how our Server Administration Team implement them.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Categories

Tags

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF