Blog

DDoS, prevention, cure! – Part 2

Tags: AIDEDDOSMod_dosevasive

Published on: December 29, 2010 by Faheem P.

DDoS, prevention, cure! – Part 2

Scenario:

DDoS/DoS Prevention and Cure has significant role in preserving the server security:

DDoS/DoS cannot be completely prevented by any of the service provides, but certain measures could help us to reduce the impact of attack.

The companies must develop and produce certain strict policies and rules to ensure the best practices are allowed. Strict server security policies must be used and should be always updated. Having a AUP is a key tool to remove the abusive user from the network/system.

Having a separate team to handle abusive incidents is a good practice to whom the incidents could be notified and alerted.

Upgrades and Updates : Through testing must be done before a system is introduced to a production environment. Server security should be considered from the start of the system design. Things to consider include:

  • Operating system lockdown and removal of any unnecessary processes,services and software. This should be done via scripts or by checklists preferably developed using industry best practices.
  • Review of system protocols to ensure communication paths are properly authenticated and if necessary encrypted.
  • Scanning of the systems to confirm and mitigate, if necessary, any server security risks found.
  • If software source code is available, security source code reviews should be performed to eliminate buffer overflows and other vulnerabilities.
  • Apply patches in time

Here are some steps by which we could defend the impact of DDOS to a certain extent.

Setup machine / network keeping server security in mind (Implement Good server Security policy)

Setup a firewall which does Ingress and Egress Filtering at Gateway

Eg: Steps to Install AFP

wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

 tar -zxf apf-current.tar.gz

cd apf-<version number>

./install.sh 

Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf

Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root’s cron has an entry like the one below

*/8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1

Install IDS on your gateway/hosts to alert you when someone tries to sniff In.

Eg: AIDE

wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz

tar -zxvf aide-0.7.tar.gz

 cd aide-0.7

 ./configure -with-gnu-regexp 

Final steps to install make;make install. Now the main step..To configure AIDE.AIDE stores all its rule sets in the file called aide.conf. Lets populate it get more details of how to configure and all from man aide.conf

Here I am taking an example .See below

Here is a sample short aide.conf:

Rule = p+i+u+g+n+s+md5

 /etc p+i+u+g

 /sbin Rule

 /usr/local/apache/conf Rule

 /var Rule

 !/var/spool/.*

 !/var/log/.* 

In the above configuration listed , a rule called “Rule” is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn’t. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place.

After configuring AIDE should be initiated with all these rules.

For that execute aide -init

Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications.

Use tools like RKDET(vancouver-webpages.com/rkdet),RKHUNTER(www.rootkit.nl) and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any.

Please find a simple Audit check List below to be done on a Hosts

Eg: Audit Check List

A quick checklist:

* Software Vulnerabilities.

* Kernel Upgrades and vulnerabilities.

* Check for any Trojans.

* Run chkrootkit.

* Check ports.

* Check for any hidden processes.

* Use audittools to check system.

* Check logs.

* Check binaries and RPMS.

* Check for open email relays.

* Check for malicious cron entries.

* Check /dev /tmp /var directories.

* Check whether backups are maintained.

* Check for unwanted users, groups, etc. on the system.

* Check for and disable any unneeded services.

* Locate malicious scripts.

* Querylog in DNS.

* Check for the suid scripts and nouser scripts.

* Check valid scripts in /tmp.

* Use intrusion detection tools.

* Check the system performance.

* Check memory performance (run memtest).

Enforce and Implement Security Measures on all hosts in the network.

Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Server Security Expert) member approves it with status “OK-to go live” after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are uptodate and can fight any attacks.

Audit network on a regular basis to see if your network is vulnerable to attacks

Use Open Source Tools like NESSUS(www.nessus.org) ,NMAP(www.insecure.org/nmap),SAINT( www.saintcorporation.com/products/saint_engine.html),SARA (www-arc.com/sara/sara.html)for auditing a network to find its vulnerabilities.

Create a DSE (Dedicated Server Security Expert ) Team for your company.

Collect your networks and hosts data . Analysis them and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend,for sure.

Implement Sysctl protection against DDOS

Eg:

 vi /etc/sysctl.conf 

add the below code:

# Enable IP spoofing protection, turn on Source Address Verification

 net.ipv4.conf.all.rp_filter = 1

 # Enable TCP SYN Cookie Protection

 net.ipv4.tcp_syncookies = 1 

Add the below code in /etc/rc.local and restart network

for f in /proc/sys/net/ipv4/conf/*/rp_filter;

 do echo 1 > done

 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 

Install Mod_dosevasive to your apache.

Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below

Install Mod_dosevasive

wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz

tar -zxvf mod_evasive_1.10.1.tar.gz

cd mod_evasive_1.10.1

 $APACHE_ROOT/bin/apxs -iac mod_evasive.c 

Dont get scared by the variable “$APACHE_ROOT” . Its nothing, but a simple variable which stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache)

vi /usr/loca/apache/conf/httpd.conf 

After this add the below code in httpd.conf

<IfModule mod_dosevasive.c>

 DOSHashTableSize 3097

 DOSPageCount 2

 DOSSiteCount 50

 DOSPageInterval 1

 DOSSiteInterval 1

 DOSBlockingPeriod 10

 </IfModule> 
/usr/loca/apache/bin/apachectl restart 

Install Mod_security .

Since DDOS normally targets http. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below

Eg: Installation Steps

http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz

 tar -zxvf modsecurity-apache-1.9.2.tar.gz

 cd modsecurity-apache-1.9.2

/usr/local/apache/bin/apxs -cia mod_security.c 

Create a file named mod_security.conf under the folder /usr/local/apache/conf

 vi /usr/local/apache/conf/mod_security.conf 

Create the rule with reference to the link http://www.modsecurity.org/documentation/quick-examples.html

and add it in the mod_security.conf file.

Add the location of mod_security.conf to httpd.conf

 vi /usr/local/apache/conf/httpd.conf 

Add the string below Include /usr/local/apache/conf/mod_security.conf

 /usr/local/apache/bin/apachectl stop

 /usr/local/apache/bin/apachectl start 

Category : General, Howtos, Linux, Security, Special Offers, Training, Troubleshooting

Faheem P.

Faheem P.

Faheem enjoys learning new technologies and loves to implement cutting edge solutions. He is one of the most active member in various technical forums and is a familiar face in various brain storming sessions. He takes great pride in being an explorer and the best thing you can be sure about in his room is the backpack!!

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items