How to block DDOS attacks in Linux

Here’s a complimentary article that shows you how to detect the IP addresses of attackers in case of a a denial of service (or DOS) attack.

To do this we will use free software called psad. psad works in sync with iptables and monitors the iptables logs and checks for port scans and other suspicious traffic which are usually signs of someone trying to break into your Linux server.

To begin, install psad. If you are running a flavor of Linux that has a fancy package management system like Ubuntu or Fedora you should be able to use either of the following commands to get psad on your system:

# sudo apt-get install psad
or
# yum install psad

If this doesn’t work for you head to the psad download page and download the format that works for you.

As I use an Ubuntu Linux server the rest of this tutorial will be Ubuntu specific. However, with some minor tweaking you should be able to make it work on other flavors of Linux. Open the syslog.conf file with your favorite text editor:

# vim /etc/syslog.conf

Add the following line at the end of the of the file:

kern.info |/var/lib/psad/psadfifo

You can use the following command to accomplish the same thing:

# echo -e 'kern.info\t|/var/lib/psad/psadfifo' >> /etc/syslog.conf

Now restart the sysklogd and klog daemons:

/etc/init.d/sysklogd restart
/etc/init.d/klogd restart

The way psad works is that it will detect and instruct iptables to block any suspicious IPs. Sometimes this might result in the blocking of an IP which you use. To overcome this issue you should create a file containing a list of safe IP addresses. Create a file like this one:

# vim /home/calvin/safeiplist.cfg

Enter the IP addresses that you need psad to whitelist:

127.0.0.0/24
192.168.0.0/24
122.164.34.240

No use a script like following one to configure iptables with the necessary rules. Note that this script will remove all previous settings from your iptables setup. Copy and paste the following script on your Linux server, and replace the variables WORKDIR and SAFEIPLISTwith the correct settings from your setup.

WORKDIR="/home/calvin/"
INTERVAL="5"
HITCOUNT="5"
SAFEIPLIST="safeiplist.cfg"

cd $WORKDIR

iptables -F
if [ -f $SAFEIPLIST ]; then
IPS=$(grep -Ev “^#” $SAFEIPLIST)
for i in $IPS
do
iptables -A INPUT -s $i -j ACCEPT
done
fi

iptables -A INPUT -m state –state NEW -m recent –set
iptables -A INPUT -m state –state NEW -m recent –update –seconds $INTERVAL –hitcount $HITCOUNT -j LOG

What the script does is that it logs an IP address if it makes five or more attempts at making a connection in the span of five seconds. I would suggest you use the script as is unless you know what you are doing while modifying it. One you are done, give it executable permissions and run it.

# chmod +x /home/calvin/ipblock.sh

# /home/calvin/ipblock.sh

Now back to psad. Open the psad configuration file and edit it. These are the changes I suggest you make. Feel free to go through the psad documentation and make other changes:

EMAIL_ADDRESSES you@yourdomain.com;

Set machine’s hostname:

HOSTNAME yourdomain.com;

If you have only one network interface on this server, set HOME_NET to:

HOME_NET NOT_USED;

You can also need to adjust danger levels for psad, and define a set of ports to ignore, for example to ask psad ignore udp ports 80 and 8080, make the following change:

IGNORE_PORTS udp/80, udp/8080;

Save and close the file. Then restart psad:

# /etc/init.d/psad restart

You are now good to go. To monitor psad’s reports run the following command:

# psad -S

To remove automatically clocked IPs run the following command:

# psad -F

psad is a very versatile and powerful tool. If you know how to use it it can do wonders for you, but if you don’t you can really mess up your computer. So please use psad with caution.