How To Anti ddos Linux – Cpanel

DDoS protection is a big part of a sysadmins job these days, especially on big forums/hosts.
Obviously, the best plan would be to buy another server, set up a CISCO firewall on it and reroute all traffic to main server. Unfortunately, this would require funds for another dedicated server.

So, the only solution that would work right now is using the box itself as a firewall,this tutorial is for cpanel.

First things first, we make sure that everything is up to date.

Code:
yum update && yum upgrade

Ok, time to install a decent firewall. Because this server is running cPanel, we may as well use a firewall that integrates into cPanel. This is just to allow for easy configuration, CSF is great so we shall be installing that.

Code:
wget http://www.configserver.com/free/csf.tgz
tar -xzvf csf.tgz
cd csf
sh install.sh

Simple as that! Now we need to configure the firewall. Log into http://IP:2086 in an internet browser using your root username and password. Click ConfigServer Security&Firewall under Plugins. Click Firewall configuration.

Code:
Change testing to 0
SYN_FLOOD = 1
PORTFLOOD = 80
DENY_TEMP_IP_LIMIT  = 100000

And click ‘change’. Restart csf+lfd then return. Next go to firewall security level. Click High then restart csf+lfd.

Next, we need some extra firewall rules to filter the common packets found in DDoS attacks. We will also limit the number of connections allowed to the server.

Code:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -A INPUT -p tcp --syn --dport 80 -d ! 127.0.0.1 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

iptables -N syn-flood
iptables -A syn-flood -m limit --limit 1/second --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

iptables -N udp-flood
iptables -A udp-flood -m limit --limit 4/second --limit-burst 4 -j RETURN
iptables -A udp-flood -j DROP

iptables -A INPUT -i eth0 -p tcp --tcp-flags  SYN,RST,ACK,FIN SYN,ACK -j syn-flood # SYN flood
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -i eth0 -p udp -j udp-flood
iptables -A INPUT -i eth0 -f -j DROP
service iptables save

next, we will install some connection based IP banning. There is some software called ddos_deflate that we are going to use.
Download ddos_deflate.

Code:
wget http://www.inetbase.com/scripts/ddos/install.sh
sh install.sh

Great, that’s installed. Now we need to change some settings.

Code:
nano /usr/local/ddos/ddos.conf

And set these vars:

Code:
* NO_OF_CONNECTIONS=100
* EMAIL_TO="[email protected]"
* BAN_PERIOD=12000
* APF_BAN=0

Save the file and exit. Next we need to modify ddos_deflate to work with CSF.

Code:
nano /usr/local/ddos/ddos.sh

On line 138 there should be this text

Code:
$IPT -I INPUT -s $CURR_LINE_IP -j DROP

Change that line to

Code:
ip r a blackhole $CURR_LINE_IP

Save the file and exit. Next we need to modify ddos_deflate to work with CSF.

Code:
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
ddos –cron > /dev/null 2>&1
Share Button