TimElfelt.com » Security

Block an IP to Speed up Server During DOS Attack

Tim — Sun, 17 Feb 2008 17:40:21 +0000

If your Apache server is slow (or if you see tons of “? ..reading..” on Apache Status in WHM) there is a chance that your http server is under a Denial of Service (DOS) attack.
You can check this out by:

Log on your server as root
Type the following command

netstat -plan|grep :80|awk {’print $5′}|cut -d: -f 1|sort|uniq -c|sort -n

You will see a list of IP addresses with the number of connections each has to your server, like this:

1 127.0.0.1
3 64.34.161.32…. etc.

If any have more then 50-100 connections, there is a chance that this is your attacker. Unfortunately, this most likely will not stop a Distributed Denial of Service attack (DDOS), but if it is one IP this should do the trick. Go ahead and block this IP using APF if you have it installed.

apf -d IP

Good luck!

P.S. One way I have been attacked before is via traffic exchanges. If you see a lot of referring URLs from a traffic exchange and requests flow in from multiple IPs, talk to your host!

How to Remove Apache Server Signature

Tim — Sun, 17 Feb 2008 17:11:55 +0000

Apache by default puts a “signature” at the end of error pages and directory listings…here is an example of what this looks like:

Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.7a DAV/2 mod_auth_passthrough/2.1 PHP/5.2.5 Server at yoursite.com Port 80

Most people don’t want to display that information to the general public, but luckily, it is easily removed. You can easily disable this in your httpd.conf file:

ServerSignature Off

Then run:

service httpd restart

or

apachectl restart

Fix Open Nameservers to Speed up Sites and Prevent DOS

Tim — Sun, 17 Feb 2008 05:39:06 +0000

Open nameservers allow anyone in the world to perform queries on them, which can often lead to DOS attacks and slower performance. Most system administrators prefer to have their nameservers restricted and used only by trusted parties. To check your namesevers, use Intodns, a free tool!

To do this kind of setup, you will need to configure your named configuration:

On command line:

nano /etc/named.conf

Look for this line at the top:

include “/etc/rndc.key”;

Now add this right below it:

acl “trusted” {
XXX.xxx.xxx.xxx,YYY.yyy.yyy.yyy;127.0.0.1;
};

The IPs should be those of the nameservers…you can add other trusted IPs as well.

Now in the options section right below that, add these lines:

allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };

So your options section will look like this:

options {
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};

When done, hit ctrl-x and save.

Restart named

/etc/init.d/named restart

Now you can use a service like DNSreport to make sure the changes took.

Update: Intodns is FREE and a great tool for troubleshooting DNS

Install APF Firewall For Server Security

Tim — Sun, 17 Feb 2008 05:02:14 +0000

A firewall is essential for the security of any server. Below are the steps to setting up APF on your system to control access:

Download and install APF:

cd /usr/src
wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz
tar -xvzf apf-current.tar.gz
cd apf-*
./install.sh

You will receive a message saying it has been installed, which will look something like this:

Installing APF 0.9.5-1: Completed.

Installation Details:
Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf
AntiDos install path: /etc/apf/ad/
AntiDos config path:  /etc/apf/ad/conf.antidos
DShield Client Parser:  /etc/apf/extras/dshield/

Now that APF is installed, it must be configured.

nano /etc/apf/conf.apf

Turn off development mode by setting the value of DEVEL_MODE to “0″

DEVEL_MODE="0"

Now locate this section:

# Common ingress (inbound) TCP ports

Remove the line directly below that starting with IG_TCP_CPORTS=. Copy and paste this line its place:

IG_TCP_CPORTS="20,21,25,53,80,110,113,143,443,465,993,995,2049,2082,2083,2086,2087,2095,2089,2096,3306,6666,30000_35000"

Do the same for these sections (if necessary):

# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53,32786,111,2049"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"

# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="0"

The above sections determine what inbound ports will be open to the public. If you have any software on your system that requires a certain port to be open, add it to the list. It is recommended to not open any ports that you don’t need!

This next step is VERY important, or you may find yourself locked out of the server. After you edit the configuration file, you need to open /etc/apf/allow_hosts_rules and add your IPs to the bottom of the file.

Once your IPs are added you can start up the firewall:

/etc/init.d/apf start