Hi all..
I have a issue with what I believe to be a DOS attack on my webserver, I have been reading a number of articles and most suggest to alter the iptables (firewall) to help combat the issue, however non say how the iptable rules should look.
My Server needs
I'm running centos 5, apache, php, mysql, plesk, ssh
The server is being used to serve a website using php content management with a mysql database and requires the need to upload files via php
Please can anyone suggest a restrictive iptables rules without denying me access to the website or plesk.
My current iptables is below, This is a VPS server and as delived by fasthosts
[quote]
---------------------------------------------------------------------------------------------------
[root@server***-***-***-*** ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:cddbp-alt
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:poppassd
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:postgres
ACCEPT tcp -- anywhere anywhere tcp dpt:9008
ACCEPT tcp -- anywhere anywhere tcp dpt:glrpc
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp type 8 code 0
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN reject-with tcp-reset
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
[root@server***-***-***-*** ~]#
---------------------------------------------------------------------------------------------------
[/quote]
Many Thanks
Steve
help with iptables
help with iptables
[quote]dreams3577 wrote:
I have a issue with what I believe to be a DOS attack on my webserver, [/quote]
CYP post some details so we can look at it ourselves?
[quote]dreams3577 wrote:
My Server needs
I'm running centos 5, apache, php, mysql, plesk, ssh
The server is being used to serve a website using php content management with a mysql database and requires the need to upload files via php [/quote]
I hope you run an up to date Centos 5.6 and have properly hardened services like local account password aging, not allowing root to log in over SSH, running hardened PHP if possible, web server rate limiting, mod_security with the OWASP rule set and fail2ban to name just a few items.
[quote]dreams3577 wrote:
[root@server***-***-***-*** ~]# iptables -L[/quote]
Please post your /etc/sysconfig/iptables or 'iptables-save > /tmp/iptables-save.log' if current rules aren't in sync with the config as I don't read this kind of output well. Besides it is easier to edit your rule file. Obfuscate any relevant IP addresses as for instance "WEB_SERVER" "DATABASE_SERVER" and "HOME_IP" where prudent.
I have a issue with what I believe to be a DOS attack on my webserver, [/quote]
CYP post some details so we can look at it ourselves?
[quote]dreams3577 wrote:
My Server needs
I'm running centos 5, apache, php, mysql, plesk, ssh
The server is being used to serve a website using php content management with a mysql database and requires the need to upload files via php [/quote]
I hope you run an up to date Centos 5.6 and have properly hardened services like local account password aging, not allowing root to log in over SSH, running hardened PHP if possible, web server rate limiting, mod_security with the OWASP rule set and fail2ban to name just a few items.
[quote]dreams3577 wrote:
[root@server***-***-***-*** ~]# iptables -L[/quote]
Please post your /etc/sysconfig/iptables or 'iptables-save > /tmp/iptables-save.log' if current rules aren't in sync with the config as I don't read this kind of output well. Besides it is easier to edit your rule file. Obfuscate any relevant IP addresses as for instance "WEB_SERVER" "DATABASE_SERVER" and "HOME_IP" where prudent.
-
dreams3577
- Posts: 8
- Joined: 2009/10/17 07:31:29
Re: help with iptables
Hi
As for DOS attacks i'm only guessing based on what is happening, however I cannot confirm.. where would it show?
I have been monitoring the server via the commands below..
tail -f /var/log/httpd/error_log
netstat -natc
tcptrack -i seth0
what do you use for 'web server rate limiting'??
I have now installed mod_security and fail2ban, however cannot find the 'OWASP rule set' and how to apply them.
'PermitRootLogin' is set to 'no'
below is the output from
# nano /etc/sysconfig/iptables
[quote]
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
######## Allowed services
# FTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Apache ( Webserver )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Bind ( DNS )
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
# Postfix ( SMTP )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# Dovecot ( POP3/Imap )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
# Mysql ( SQL Server )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
# SNMPD for monitoring
-A INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT
# Plesk
-A INPUT -p tcp --dport 8880 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 8443 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 11444 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[/quote]
thank you for all the help..
Steve
As for DOS attacks i'm only guessing based on what is happening, however I cannot confirm.. where would it show?
I have been monitoring the server via the commands below..
tail -f /var/log/httpd/error_log
netstat -natc
tcptrack -i seth0
what do you use for 'web server rate limiting'??
I have now installed mod_security and fail2ban, however cannot find the 'OWASP rule set' and how to apply them.
'PermitRootLogin' is set to 'no'
below is the output from
# nano /etc/sysconfig/iptables
[quote]
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
######## Allowed services
# FTP
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
# SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Apache ( Webserver )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Bind ( DNS )
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
# Postfix ( SMTP )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
# Dovecot ( POP3/Imap )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
# Mysql ( SQL Server )
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 3306 -j ACCEPT
# SNMPD for monitoring
-A INPUT -m state --state NEW -m udp -p udp --dport 161 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 161 -j ACCEPT
# Plesk
-A INPUT -p tcp --dport 8880 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 8443 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 11444 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[/quote]
thank you for all the help..
Steve
Re: help with iptables
[quote]dreams3577 wrote:
i'm only guessing based on what is happening[/quote]
So, what [i]is[/i] happening? What do you experience? Do elaborate.
[quote]dreams3577 wrote:
I have been monitoring the server via the commands below..
tail -f /var/log/httpd/error_log
netstat -natc
tcptrack -i seth0[/quote]
Commands are nice but what do they [i]show[/i]?
[quote]dreams3577 wrote:
what do you use for 'web server rate limiting'??[/quote]
Quite a few options: http://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html, http://codee.pl/cband.html, http://www.zdziarski.com/blog/?page_id=442, http://dominia.org/djao/limitipconn2.html, all in conjunction with iptables as you don't want a single layer to take care of this (less error-prone and CPU intensive anyway to handle things at the network instead of the application layer). Mind you, if you're talking DDoS then a good relationship with your upstream is important as you might need their help. If they don't have one of them newfangled scrubbing routers then temporarily severing the connection may be a last resort option.
[quote]dreams3577 wrote:
I have now installed mod_security and fail2ban, however cannot find the 'OWASP rule set' and how to apply them.[/quote]
See https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Home ?
[quote]dreams3577 wrote:
# nano /etc/sysconfig/iptables[/quote]
Wrt your rules:
- set the default INPUT and FORWARD policy to DROP and only allow traffic you need.
- filter [url=http://www.team-cymru.org/Services/Bogons/]bogons[/url].
- filter "-m conntrack --ctstate INVALID"
- use rate limiting ('iptables -m limit --help').
- ensure fail2ban takes care of failed FTP and SSH logins.
- it is unlikely you need to provide DNS, SMTP, SNMP, POP, IMAP and MySQL to the 'net (mostly in use by localhost): reconfigure services to listen on lo or UNIX socket.
- if you need to provide email accounts force POPS and IMAPS, use rate limiting and enable fail2ban for those services.
- if you need SNMP set your source IP address (or range if dynamic), use SNMPv2 and set read-only mode for the community,
- for PLESK ports confine access and set your source IP address (or range if dynamic).
You'll probably want http://www.frozentux.net/documents/iptables-tutorial/
i'm only guessing based on what is happening[/quote]
So, what [i]is[/i] happening? What do you experience? Do elaborate.
[quote]dreams3577 wrote:
I have been monitoring the server via the commands below..
tail -f /var/log/httpd/error_log
netstat -natc
tcptrack -i seth0[/quote]
Commands are nice but what do they [i]show[/i]?
[quote]dreams3577 wrote:
what do you use for 'web server rate limiting'??[/quote]
Quite a few options: http://httpd.apache.org/docs/trunk/mod/mod_ratelimit.html, http://codee.pl/cband.html, http://www.zdziarski.com/blog/?page_id=442, http://dominia.org/djao/limitipconn2.html, all in conjunction with iptables as you don't want a single layer to take care of this (less error-prone and CPU intensive anyway to handle things at the network instead of the application layer). Mind you, if you're talking DDoS then a good relationship with your upstream is important as you might need their help. If they don't have one of them newfangled scrubbing routers then temporarily severing the connection may be a last resort option.
[quote]dreams3577 wrote:
I have now installed mod_security and fail2ban, however cannot find the 'OWASP rule set' and how to apply them.[/quote]
See https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project#tab=Home ?
[quote]dreams3577 wrote:
# nano /etc/sysconfig/iptables[/quote]
Wrt your rules:
- set the default INPUT and FORWARD policy to DROP and only allow traffic you need.
- filter [url=http://www.team-cymru.org/Services/Bogons/]bogons[/url].
- filter "-m conntrack --ctstate INVALID"
- use rate limiting ('iptables -m limit --help').
- ensure fail2ban takes care of failed FTP and SSH logins.
- it is unlikely you need to provide DNS, SMTP, SNMP, POP, IMAP and MySQL to the 'net (mostly in use by localhost): reconfigure services to listen on lo or UNIX socket.
- if you need to provide email accounts force POPS and IMAPS, use rate limiting and enable fail2ban for those services.
- if you need SNMP set your source IP address (or range if dynamic), use SNMPv2 and set read-only mode for the community,
- for PLESK ports confine access and set your source IP address (or range if dynamic).
You'll probably want http://www.frozentux.net/documents/iptables-tutorial/