IP blacklisting and Firewall

IP tables

# clear tables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# using for logging, and dropping
iptables -N LOGNDROP
iptables -A LOGNDROP -m limit --limit 15/min -j LOG --log-prefix "DENIED: "
iptables -A LOGNDROP -j DROP

# accept the basics
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

# nagios and ssh, only from controller and backup

iptables -A INPUT -p tcp -s CONTROLLER --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s backup.deflect.ca --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s CONTROLLER --dport 5666 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s backup.deflect.ca --dport 5666 -m state --state NEW,ESTABLISHED -j ACCEPT

# spoofed source addresses:
iptables -N BADADDRESS
iptables -A BADADDRESS -m limit --limit 15/min -j LOG --log-prefix "BADADDRESS: "
iptables -A INPUT -p tcp -s 192.168.0.0/16 -j BADADDRESS
iptables -A INPUT -p tcp -s 127.0.0.0/8 -j BADADDRESS
iptables -A INPUT -p tcp -s 10.0.0.0/8 -j BADADDRESS

# bad flags:
iptables -N BADFLAGS
iptables -A BADFLAGS -m limit --limit 15/min -j LOG --log-prefix "BADFLAGS: "
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j BADFLAGS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j BADFLAGS
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j BADFLAGS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j BADFLAGS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j BADFLAGS
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j BADFLAGS

# allow established out / in sessions
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop everything else
# we can try logging
iptables -A INPUT -j LOGNDROP

SYN flooding

To ensure the system is protected against SYN flooding, add these lines to /etc/sysctl.conf:

net.ipv4.tcp_syncookies = 1
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=40

BotNetBDP

For an overview, see the BotnetDBP page.

IP blacklisting with Fail2ban

we still use fail2ban but main for non apache traffic server log parsing. It has been updated to banjax/swabber

Deflect is primarily designed to resist distributed denial of service attack. This requires that Deflect be able to resist simple denial of service attack in the first place. Deflect uses Fail2ban to deal with this kind of attack. Fail2ban is an intrusion detection and prevention tool which works based on analyzing the log files generated by different servers and daemons running on a system. In the case of Deflect, Fail2ban checks the log file, generated by ATS and look for different kind of anomalies which suggest that a client reaching the edge with a malicious intention.

After finding an intruder, Fail2ban uses iptables to blacklist its ip. In this section, the basic configuration of Fail2ban for Deflect is explained.

Configuring Fail2ban

Config files live in

/usr/local/deflect/edge/etc/fail2ban

for initial push and/or config update:

deploy.sh -H edgename -p fail2ban

All the required packages are available in the distribution.

apt-get -y install fail2ban

The default rules are acceptable. Add the following to /etc/fail2ban files. It will block hosts for 300 seconds that make more than 100 requests in 10 seconds.

jail.local:

[ats-ddos] enabled = true port = http,https filter = ats-ddos logpath = /usr/local/trafficserver/logs/deflect.log maxretry = 100 findtime = 10 bantime = 300 action = iptables[name=HTTP, port=http, protocol=tcp]

filter.d/ats-ddos.conf:

[Definition]

failregex = ^ .* ignoreregex =