DOS is the abbreviation of Denial Of Service. It’s an attempt to make the server network resources unavailable to its intend users. We can identify it by checking if there any packet loss on the server simply by using PING. Normally the attack is originated from the same IP address but in some strange situations the attackers may use multiple IPs for DOS.
By using the advantages of iptables and or CSF we can simply avoid the DOS attack from external connections. To configure the iptables to prevent DOS you must have a well knowledge in iptables configuration. But, you can simply mange it from the CSF. Here I am comparing the two ways (ie, iptables and CSF) to prevent DOS on Linux servers.
How to configure iptables to prevent DOS attack?
You must know the following iptables switches to configure the server to prevent from DOS
-A : Append -p : Protocol --dport : For ports -m limit : To limit iptables extension --limit 25/minute : Defines maximum of 25 connection per minute. --limit-burst 100 : The limit/minute will be enforced only after the total number of connection have reached the limit-burst level, ie 100 here. -j : Target
IPTable rule:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
Example:
root@test [~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
acctboth all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 limit: avg 25/min burst 100
How to setup server to prevent DOS attack by using the CSF ?
It’s quite easy comparing to iptables configuration. By using CSF we can simply setup an iptable rule for preventing DOS attack. There is a directive in CSF configuration file CT_LIMIT to define the number of connection from an IP address.
Step I : SSH to server as root user.
Step II : Open the CSF conf file using your favorite editor and add the CT_LIMIT value.
vi /etc/csf/csf.conf
----
# To disable this feature, set this to 0
CT_LIMIT = "50"
----
Where 50 is the maximum number of connections from an IP address. You need to specify the port number also.
vi /etc/csf/csf.conf
----
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"
----
Step III : Restart the CSF
csf -r
That’s it 🙂
Other useful CT options available in CSF:
# Connection Tracking interval. Set this to the the number of seconds between # connection tracking scans CT_INTERVAL = "30" # Send an email alert if an IP address is blocked due to connection tracking CT_EMAIL_ALERT = "1" # If you want to make IP blocks permanent then set this to 1, otherwise blocks # will be temporary and will be cleared after CT_BLOCK_TIME seconds CT_PERMANENT = "0" # If you opt for temporary IP blocks for CT, then the following is the interval # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins) CT_BLOCK_TIME = "1800" # If you don't want to count the TIME_WAIT state against the connection count # then set the following to "1" CT_SKIP_TIME_WAIT = "0" # If you only want to count specific states (e.g. SYN_RECV) then add the states # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT" # # Leave this option empty to count all states against CT_LIMIT CT_STATES = ""
Related Links:
Login Failures and Port Scanning notices – Email alert setup for CSF
What is iptables in Linux ?
CSF commands to allow/deny IP addresses for temporary
Block/unblock an IP address in your Linux server
How to allow/block PING on Linux server
Thank you it’s useful but quite simple example. What about how to prevent ICMP or UDP flood?
Just change the protocol to icmp or udp
CSF doesn’t work well for DDoS mitigation. However there are iptables rules that can mitigate DDoS attacks at high rates, check out: https://javapipe.com/iptables-ddos-protection
Michael,
Thank for sharing this!
CSF doesn’t work well for CloudFlare. Have you try install vDDoS Protection Reverse Proxy from http://vddos.voduy.com/ Layer 7 Filter Mitigate DOS, DDOS, SYN Floods, or HTTP Floods attack?