Howto block DDOS attacks with PSAD and simple iptables rules

Posted Fri, 05/08/2009 - 12:19 by ma

I will show you howto install PSAD to block DDOS attacks (distributed denial of service) and port scan on a webserver. Here I will use Ubuntu 8.04 LTS server but it should be very similar on other distro.

PSAD scan iptables log file to generate the attack block. The problem is that when you log ALL packets as shown in other PSAD tutorials, it will slow down considerably your server if it's busy and generate huge huge log files (growing at a rate of 1meg per second or more). With simple iptables rules, we will only log traffic that look suspicious (5 new connections in 5 seconds for example).

Installation

Download the latest PSAD

uncompress it and run the install.pl script : 

./install.pl

Next we have to restart sysklogd and klog : 

/etc/init.d/sysklogd restart
/etc/init.d/klogd restart

Here is a little mod in order not to get the iptables full : 

echo '524288' >  /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo '7200' > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established

You can change the ip_conntrack_max to a higher value if needed. If you don't do so, your iptable will get full and requests will be dropped. See your logfile to see if any packets get drop after some time eg : `cat /var/log/syslog | grep dropped`

To log only suspicious IP, first make a safe IP list : 

vi /root/safeip.txt

and in that file put safe IP addresses (with CIDR or not).

127.0.0.0/24
192.168.0.0/24
123.123.123.123

Optional : If you wish to whitelist whole countries, simply get the list of IP using our IP list by country generator

We will use a short script to set the iptables rules (note 'iptables -F' in the script that flush previous rules)

#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
# ---------------------------------------------------------------------
 
WORKDIR="/root/"
INTERVAL="5"
HITCOUNT="5"
SAFEIPFILE="safeip.txt"
 
cd $WORKDIR
 
iptables -F
if [ -f $SAFEIPFILE ]; then
  IPS=$(grep -Ev "^#" $SAFEIPFILE)
  for i in $IPS
  do
        iptables -A INPUT -s $i -j ACCEPT
  done
fi
 
iptables -A INPUT -m state --state NEW -m recent --set
iptables -A INPUT -m state --state NEW -m recent --update --seconds $INTERVAL --hitcount $HITCOUNT -j LOG

Basically, this will log an IP address only once it made 5 NEW connections within 5 seconds. Let say IP 111.111.111.111 creates 12 new connections in a 5 seconds interval, it will be logged 8 times (so it will become 8 `packets` for PSAD, you will see later what it mean). Of course, you can ajust this setting to your needs.

Make the script executable (chmod +x) and run it.

Next we have to configure PSAD : 

vi /etc/psad/psad.conf

This is a suggested configuration, read psad documentation for more info :

Note : these lines are already there, just modify the value

[...]
EMAIL_ADDRESSES             admin@example.com;
[...]
HOSTNAME                    server1.example.com;
[...]
DANGER_LEVEL1               50;    ### Number of packets.
DANGER_LEVEL2               100;
DANGER_LEVEL3               250;
DANGER_LEVEL4               400;
DANGER_LEVEL5               500;
[...]
PORT_RANGE_SCAN_THRESHOLD   0;
[...]
ENABLE_PERSISTENCE          N;
[...]
SCAN_TIMEOUT                3600;  ### seconds
[...]
MIN_DANGER_LEVEL            3;
[...]
EMAIL_ALERT_DANGER_LEVEL    3;
[...]
ALERT_ALL                   N;
[...]
IMPORT_OLD_SCANS            Y;
[...]
ENABLE_AUTO_IDS             Y;
[...]
AUTO_IDS_DANGER_LEVEL       5;
[...]
AUTO_BLOCK_TIMEOUT          43200;
[...]
IPTABLES_BLOCK_METHOD       Y;
[...]

Here is an explanation of what this configuration file will do :

If an IP made 250 NEW connections in 1 hour time it will send an email to admin@example.com. The same happend after 400 connections. After 500 new connections in 1h period, PSAD will block the IP for the next 12 hours. Of course you can ajust that to your needs... Remember that we only log IP that made at least 5 connection in the last 5 seconds so it's improbable to block a legitimate user... `Packets` are not real packets, they are simply the number of time the IP appears in /var/log/syslog.

Now we have to restart PSAD : 

/etc/init.d/psad restart

If you want to whitelist IP also in PSAD, take a look at /etc/psad/auto_dl (its better to whitelist them in the iptables rules but its safer to put them at both places) : 

vi /etc/psad/auto_dl

Command you need to know :

to show PSAD reports

psad -S

removing the IP block

psad -F

That's it!

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Problem

by Ace - 05/22/2009 - 07:18

Hello! I was following all the steps and i made everything same as given in the tutorial but when i try the /etc/init.d/psad restart command it tells me this [*] Could not find mail, edit /etc/psad/psad.conf at /usr/sbin/psad line 9566.
Starting psad: [*] Could not find mail, edit /etc/psad/psad.conf at /usr/sbin/psad line 9566.
When i go to that line it gives me the ends of the conf file, and mail is set to root@localhost... What seems to be the problem?

mail problem

by ma - 05/23/2009 - 09:37

Hum... I assume you have something to send mail...

Try : apt-get install sendmail

Marc

very handy

by thazer - 05/09/2009 - 04:54

really nice explained... i use the same distro but indeed it shouldn't be a problem with other distros to. the same technique is used by the "(D)DoS Deflate" but i had some what of an negative experience with that one so dunno prolly was my faulty config or what'not. anyway thanks for the tut and i'll surely take it for a "spin" :D

pgn.ro