|
|
Hello các bạn
Server mình dạo này thường xuyên bị ddos, attacker có 2 kiểu ddos như sau :
Mình dùng tcpdump, mình dùng Linux server, file pcap mình open trên windows
Loại thứ 1 : SYN FLOOD
http://i.upanh.com/vpvtsn
File capture package : http://www.mediafire.com/download/09dy34d9y99adk4/ddos-servervn.pcap
Tình trạng : SSH vẫn truy cập bình thường, nhưng apache port 80 bị treo dẫn đến toàn bộ website không tải được.
Kiểm tra trạng thái kết nối, mình thấy thế này :
5 ESTABLISHED
1 FIN_WAIT2
3 LISTEN
5 TIME_WAIT
300 SYN_RECV
Dùng CSF enable SYNFLOOD giới hạn lại cũng chẳng ăn thua
Loại thứ 2 : DNS Ampli DDoS
http://i.upanh.com/vpvtsd
File dump : http://www.mediafire.com/?ptdl4qifm9etdxc
Loại này kinh khủng quá, nó ddos vào là server die liền, ko kịp ngáp, OFF mạng của Dedicated, dùng KVM remote vào, lệnh #iptraf, thấy TCP bình thường, nhưng UDP chạy chóng mặt, card mạng mình max là 100mbps, nó ddos vào 15s là lên đến 99mbps, server die ngay lập tức, không thể SSH, chỉ có thể ngồi tại phòng server mà gõ terminal.
Nếu cần mình sẽ attack file pcap dump đc khi bị ddos lên cho các bạn xem và dễ hình dung nhé.
Mong các bạn hỗ trợ mình, vì ngày nào mình cũng chịu ít nhất là 2 giờ bị ddos, không biết làm sao để thoát nạn cả.
Cảm ơn các bạn đã quan tâm.
|
|
|
Mình có con server, chạy directadmin, share host cho khách sử dụng..
Nhưng mấy hôm nay, có 1 số user bị ddos, khiến log ngày càng nặng ...
Toàn bộ log của user được lưu trong : /var/log/httpd/domains/
Nếu tình trạng này log cứ tăng dung lượng chắc hết HDD mất ....
Các bạn cho mình hỏi các log trong domains có thể del đi được không, nếu không thì có cách nào clear nó không ?
Làm vậy có ảnh hưởng gì đến user đang sử dụng không ???
Cảm ơn nhìu lắm ạ ....
|
|
|
Mình config APF như thế này :
#!/bin/sh
#
# APF 9.7 [apf@r-fx.org]
# Copyright (C) 1999-2007, R-fx Networks <proj@r-fx.org>
# Copyright (C) 2007, Ryan MacDonald <ryan@r-fx.org>
# This program may be freely redistributed under the terms of the GNU GPL
#
# NOTE: This file should be edited with word/line wrapping off,
# if your using pico/nano please start it with the -w switch
# (e.g: pico -w filename)
# NOTE: All options in this file are integer values unless otherwise
# indicated. This means value of 0 = disabled and 1 = enabled.
##
# [Main]
##
# !!! Do not leave set to (1) !!!
# When set to enabled; 5 minute cronjob is set to stop the firewall. Set
# this off (0) when firewall is determined to be operating as desired.
DEVEL_MODE="0"
# The installation path of APF; this can be changed but it is not recommended.
INSTALL_PATH="/etc/apf"
# Untrusted Network interface(s); all traffic on defined interface will be
# subject to all firewall rules. This should be your internet exposed
# interfaces. Only one interface is accepted for each value.
IFACE_IN="venet0"
IFACE_OUT="venet0"
# Trusted Network interface(s); all traffic on defined interface(s) will by-pass
# ALL firewall rules, format is white space or comma separated list.
IFACE_TRUSTED=""
# This option will allow for all status events to be displayed in real time on
# the console as you use the firewall. Typically, APF used to operate silent
# with all logging piped to $LOG_APF. The use of this option will not disable
# the standard log file displayed by apf --status but rather compliment it.
SET_VERBOSE="1"
# The fast load feature makes use of the iptables-save/restore facilities to do
# a snapshot save of the current firewall rules on an APF stop then when APF is
# instructed to start again it will restore the snapshot. This feature allows
# APF to load hundreds of rules back into the firewall without the need to
# regenerate every firewall entry.
# Note: a) if system uptime is below 5 minutes, the snapshot is expired
# b) if snapshot age exceeds 12 hours, the snapshot is expired
# c) if conf or a .rule has changed since last load, snapshot is expired
# d) if it is your first run of APF since install, snapshot is generated
# - an expired snapshot means APF will do a full start rule-by-rule
SET_FASTLOAD="0"
# Virtual Network Sub-System (VNET) creates independent policy rule set for
# each IP on a system to /etc/apf/vnet/IP.rules. These rule files can be
# configured with conf.apf variables for unique but convenient firewall
# policies or custom iptables entries for even greater flexibility.
SET_VNET="0"
# This feature firewalls any additional interfaces on the server as untrusted
# through the VNET sub-system. Excluded are interfaces that have already been
# defined by IFACE_* variables. This feature is ideal for systems running
# private interfaces where not all hosts on the private network are trusted or
# are otherwise exposed to "open" networks through this private interface
# (i.e: the Internet, network accessible storage LAN, corporate WAN, etc..)
SET_ADDIFACE="0"
# This allows the firewall to work around modular kernel issues by assuming
# that the system has all required firewall modules compiled directly into
# kernel. This mode of operation is not generally recommended but can be used
# scale APF to unique situations.
SET_MONOKERN="1"
# This controls how often, if at all, we want the trust system to refresh rules.
# The firewall will flush & reload all static rules, redownload global rules and
# re-resolve any dns names in the rules. This is ideal when using dynamic dns
# names or downloadable global trust rules. [value in minutes, 0 to disable]
SET_REFRESH="10"
# This is the total amount of rules allowed inside of the deny trust system.
# When this limit is reached, the deny rule files will begin to purge older
# entries to maintain the set limit. [value is max lines, 0 for unlimited]
SET_TRIM="150"
# Verifies that the IFACE_* and IFACE_TRUSTED interfaces are actually routed
# to something. If configured interfaces are found with no routes setup then
# APF will exit with an error to prevent further issues (such as being locked
# out of the system).
VF_ROUTE="1"
# Verifies that crond is running when DEVEL_MODE=1; if not then APF will not
# try to load as if lock-up occurs no cron service to flush firewall.
VF_CROND="1"
# Verifies that all inbound traffic is sourced from a defined local gateway MAC
# address. All other traffic that does not match this MAC address will be
# rejected as untrusted traffic. It is quite easy to forge a MAC address and as
# such this feature executes NO default accept policy. Leave this option empty
# to disable or enter a 48-bit MAC address to enable.
VF_LGATE=""
##
# [Reactive Address Blocking]
##
# The use of RAB is such that it allows the firewall to track an address as it
# traverses the firewall rules and subsequently associate that address across
# any number of violations. This allows the firewall to react to critical
# policy violations by blocking addresses temporarily on the assumed precaution
# that we are protecting the host from what the address may do on the pretext
# of what the address has already done. The interface that allows RAB to work
# resides inside the kernel and makes use of the iptables 'ipt_recent' module,
# so there is no external programs causing any additional load.
RAB="0"
# This enables RAB for sanity violations, which is when an address breaks a
# strict conformity standard such as trying to spoof an address or modify
# packet flags. It is strongly recommended that this option NOT be disabled.
RAB_SANITY="1"
# This enables RAB for port scan violations, which is when an address attempts
# to connect to a port that has been classified as malicious. These types of
# ports are those which are not commonly used in today's Internet but are
# the subject of scrutiny by attackers, such as ports 1,7,9,11. Each security
# level defines the amount of ports that RAB will react against. The port
# security groups can be customized in 'internals/rab.ports'.
# 0 = disabled | 1 = low security | 2 = medium security | 3 = high security
RAB_PSCAN_LEVEL="1"
# This controls the amount of violation hits an address must have before it
# is blocked. It is a good idea to keep this very low to prevent evasive
# measures. The default is 0 or 1, meaning instant block on first violation.
RAB_HITCOUNT="1"
# This is the amount of time (in seconds) that an address gets blocked for if
# a violation is triggered, the default is 300s (5 minutes).
RAB_TIMER="300"
# This allows RAB to 'trip' the block timer back to 0 seconds if an address
# attempts ANY subsiquent communication while still on the inital block period.
RAB_TRIP="1"
# This controls if the firewall should log all violation hits from an address.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_HIT="1"
# This controls if the firewall should log all subsiqent traffic from an address
# that is already blocked for a violation hit, this can generate allot of logs.
# The use of LOG_DROP variable set to 1 will override this to force logging.
RAB_LOG_TRIP="0"
##
# [Packet Filtering/Handling]
##
# How to handle TCP packet filtering?
#
# RESET (sends a tcp-reset; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
TCP_STOP="DROP"
# How to handle UDP packet filtering?
#
# RESET (sends a icmp-port-unreachable; TCP/IP default)
# DROP (drop the packet; stealth ?)
# REJECT (reject the packet)
# PROHIBIT (send an icmp-host-prohibited)
UDP_STOP="DROP"
# How to handle all other packet filtering?
#
# DROP (drop the packet)
# REJECT (reject the packet)
ALL_STOP="DROP"
# The sanity options control the way packets are scrutinized as they flow
# through the firewall. The main PKT_SANITY option is a top level toggle for
# all SANITY options and provides general packet flag sanity as a pre-scrub
# for the other sanity options. In short, this makes sure that all packets
# coming and going conform to strict TCP/IP standards. In doing so we make it
# very difficult for attackers to inject raw/custom packets into the server.
PKT_SANITY="1"
# Block any packets that do not conform as VALID, this feature is safe for most
# but some may experience protocol issues with broken remote clients. This is
# very similar to PKT_SANITY but has a wider scope and as such has the ability
# to affect many application protocols in undesirable ways.
PKT_SANITY_INV="0"
# Block any fragmented UDP packets, this is safe as no UDP packets should
# ever be fragmented.
PKT_SANITY_FUDP="1"
# Block packets with a source or destination of port 0, this is safe as
# nothing should ever communicate on port 0 (technically does not exist).
PKT_SANITY_PZERO="1"
# The implementation of Type of Service (TOS) in APF is such that it allows
# you to classify service priorities by port. These priorities are broken down
# into 5 groups and they are:
# 0 = No Change
# 2 = Minimize-Cost
# 4 = Minimize Delay - Maximize Reliability
# 8 = Maximum Throughput - Minimum Delay
# 16 = No Delay - Moderate Throughput - High Reliability
#
# Set the default TOS value [0,2,4,8,16]
TOS_DEF="0"
# Set the default TOS port range
TOS_DEF_RANGE="512:65535"
# 0: Ports for Normal-Service
TOS_0=""
# 2: Ports for Minimize-Cost
TOS_2=""
# 4: Ports for Minimize Delay - Maximize Reliability
TOS_4=""
# 8: Ports for Maximum Throughput - Minimum Delay
TOS_8="21,20,80"
# 16: Ports for No Delay - Moderate Throughput - High Reliability
TOS_16="25,110,143"
# Allow traceroute requests on the defined range of ports. This feature
# is not required for normal operations and some even prefer it disabled.
# Enable Traceroute # Traceroute ports
TCR_PASS="1" TCR_PORTS="33434:33534"
# Set a reasonable packet/time ratio for ICMP packets, exceeding this flow
# will result in dropped ICMP packets. Supported values are in the form of:
# pkt/s (packets/seconds), pkt/m (packets/minutes)
# Set value to 0 for unlimited, anything above is enabled.
ICMP_LIM="30/s"
# Creates firewall rules based on the local name servers as defined in the
# /etc/resolv.conf file. This is the preferred secure method for client side
# name server requests. This option has no bearing on a locally hosted DNS
# service.
RESV_DNS="1"
# When RESV_DNS is enabled, all the untrusted name server traffic can fill the
# logs with client DNS traffic. This can be suppressed with an implicit drop
# of all such traffic (sport 53 inbound) as so to avoid log chains. If you run
# applications that have unique name servers configured, this may break them.
RESV_DNS_DROP="1"
# A common set of known Peer-To-Peer (p2p) protocol ports that are often
# considered undesirable traffic on public Internet servers. These ports
# are also often abused on web hosting servers where clients upload p2p
# client agents for the purpose of distributing or downloading pirated media.
# Format is comma separated for single ports and an underscore separator for
# ranges (4660_4678).
BLK_P2P_PORTS="1214,2323,4660_4678,6257,6699,6346,6347,6881_6889,6346,7778"
# These are common Internet service ports that are understood in the wild
# services you would not want logged under normal circumstances. All ports
# that are defined here will be implicitly dropped with no logging for
# TCP/UDP traffic inbound or outbound. Format is comma separated for single
# ports and an underscore separator for ranges (135_139).
BLK_PORTS="135_139,111,513,520,445,1433,1434,1234,1524,3127"
# You need multicasting if you intend to participate in the MBONE, a high
# bandwidth network on top of the Internet which carries audio and video
# broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/, this is generally
# safe to enable.
BLK_MCATNET="0"
# Block all private ipv4 addresses, this is address space reserved for private
# networks or otherwise unroutable on the Internet. If this host resides behind
# a router with NAT or routing scheme that otherwise uses private addressing,
# leave this option OFF. Refer to the 'internals/private.networks' file for
# listing of private address space.
BLK_PRVNET="0"
# Block all ipv4 address space marked reserved for future use (unassigned),
# such networks have no business talking on the Internet. However they may at
# some point become live address space. The USE_RD option further in this file
# allows for dynamic updating of this list on every full restart of APF. Refer
# to the 'internals/reserved.networks' file for listing of address space.
BLK_RESNET="1"
# Block all ident (tcp 113) requests in and out of the server IF the port is
# not already opened in *_TCP_CPORTS. This uses a REJECT target to make sure
# the ident requests terminate quickly. You can see an increase in irc and
# other connection performance with this feature.
BLK_IDENT="0"
# This is the maximum number of "sessions" (connection tracking entries) that
# can be handled simultaneously by the firewall in kernel memory. Increasing
# this value too high will simply waste memory - setting it too low may result
# in some or all connections being refused, in particular during denial of
# service attacks.
SYSCTL_CONNTRACK="65536"
# These are system control (sysctl) option changes to disable TCP features
# that can be abused in addition to tweaking other TCP features for increased
# performance and reliability.
SYSCTL_TCP="1"
# These are system control (sysctl) option changes intended to help mitigate
# syn-flood attacks by lowering syn retry, syn backlog & syn time-out values.
SYSCTL_SYN="0"
# These are system control (sysctl) option changes to provide protection from
# spoofed packets and ip/arp/route wwwection. If you are performing advanced
# routing policies on this host such as NAT/MASQ you should disable this.
SYSCTL_ROUTE="0"
# This system control (sysctl) option will log all network traffic that is
# from impossible source addresses. This option can discover attacks or issues
# on your network you may otherwise not be aware of.
SYSCTL_LOGMARTIANS="0"
# This system control (sysctl) option will allow you to control ECN support
# (Explicit Congestion Notification). This feature provides an improved method
# for congestion avoidance by allowing the network to mark packets for
# transmission later, rather than dropping them from the queue. Please also
# see related USE_ECNSHAME option further down in this file.
SYSCTL_ECN="0"
# This system control (sysctl) option will allow you to make use of SynCookies
# support. This feature will send out a 'syn-cookie' when the syn backlog for a
# socket becomes overflowed. The cookie is used to interrupt the flow of syn
# transmissions with a hashed sequence number that must be correlated with the
# sending host. The hash is made up of the sending host address, packet flags
# etc..; if the sending host does not validate against the hash then the tcp
# hand-shake is terminated. In short, this helps to mitigate syn-flood attacks.
# Note: syncookies seriously violates TCP protocol and can result in serious
# degradation of some services (i.e. SMTP); visible not by you, but your
# clients and relays whom are contacting your system.
SYSCTL_SYNCOOKIES="1"
# This system control (sysctl) option allows for the use of Abort_On_Overflow
# support. This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative for
# SynCookies and both should NEVER be enabled at once.
# Note: This option can harm clients contacting your system. Enable option only
# if you are sure that the listening daemon can not be tuned to accept
# connections faster.
SYSCTL_OVERFLOW="0"
# The helper chains are designed to assist applications in working with the
# stateful firewall in a more reliable fashion. You should keep these settings
# current with the ports SSH and FTP are operating on. Please DO NOT CONFUSE
# these settings with opening the SSH/FTP port as they have no bearing on
# actually connecting to the services. They are only for helping maintain your
# connection to the services [ESTABLISHED,RELATED connection states, not NEW].
HELPER_SSH="1"
HELPER_SSH_PORT="22"
HELPER_FTP="1"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"
# Configure inbound (ingress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma separated
# and underscore separator for ranges.
#
# Example:
# IG_TCP_CPORTS="21,22,25,53,80,110,111,143,443,587953,2222,3306,32769,35000,35999"
# IG_UDP_CPORTS="20,21,53,123"
# IG_ICMP_TYPES="3,5,11,0,30,8"
# Common inbound (ingress) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,587,993,995,2222,8000,8050,8005,3784,6000_7000,35000,35999"
# Common inbound (ingress) UDP ports
IG_UDP_CPORTS="21,53,8000,8050,8005,3784,35000,35999"
# Common ICMP inbound (ingress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
IG_ICMP_TYPES="3,5,11,0,30,8"
# Configure outbound (egress) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory.
#
# Outbound (egress) filtering is not required but makes your firewall setup
# complete by providing full inbound and outbound packet filtering. You can
# toggle outbound filtering on or off with the EGF variable. Format is comma
# separated and underscore separator for ranges.
#
# Example:
# EG_TCP_CPORTS="21,25,80,443,43"
# EG_UDP_CPORTS="20,21,53"
# EG_ICMP_TYPES="all"
# Outbound (egress) filtering
EGF="1"
# Common outbound (egress) TCP ports
EG_TCP_CPORTS="21,22,25,37,43,53,80,443,587,993,995,8000,8050,8005,3784,35000,35999,6000_7000"
# Common outbound (egress) UDP ports
EG_UDP_CPORTS="20,21,53,8000,8050,8005,3784,35000,35999,6000_7000"
# Common ICMP outbound (egress) types
# 'internals/icmp.types' for type definition; 'all' is wildcard for any
EG_ICMP_TYPES="all"
# Configure user-id specific outbound (egress) port access. This is a more
# granular feature to limit the scope of outbound packet flows with user-id
# conditioning. Format is comma separated and underscore separator for ranges.
# This is NOT A FILTERING FEATURE, this is an ACCESS CONTROL feature. That
# means EG_TCP_UID and EG_UDP_UID are intended to ALLOW outbound access for
# specified users, not DENY.
#
# Format: EG_[TCP|UDP]_UID="uid:port"
# Example:
# Allow outbound access to destination port 22 for uid 0
# EG_TCP_UID="0:22"
# UID-Match outbound (egress) TCP ports
EG_TCP_UID=""
# UID-Match outbound (egress) UDP ports
EG_UDP_UID=""
# Configure executable specific outbound (egress) filtering. This is a more
# granular feature to limit the scope of outbound packet flows with executable
# conditioning. The packet filtering is based on the CMD process field being
# passed along to iptables. All logged events for these rules will also include
# the executable CMD name in the log chain. This is A FILTERING FEATURE, not an
# ACCESS CONTROL feature. That means EG_DROP_CMD is intended to DENY outbound
# access for specified programs, not ALLOW.
#
# Format is comma separated list of executable names you wish to ban from being
# able to transmit data out of your server.
# CMD-Match outbound (egress) denied applications
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
##
# [Remote Rule Imports]
##
# Project Honey Pot is the first and only distributed system for identifying
# spammers and the spambots they use to scrape addresses from your website.
# This aggregate list combines Harvesters, Spammers and SMTP Dictionary attacks
# from the PHP IP Data at: http://www.projecthoneypot.org/list_of_ips.php
DLIST_PHP="0"
DLIST_PHP_URL="rfxn.com/downloads/php_list"
DLIST_PHP_URL_PROT="http"
# The Spamhaus Don't Route Or Peer List (DROP) is an advisory "drop all
# traffic" list, consisting of stolen 'zombie' netblocks and netblocks
# controlled entirely by professional spammers. For more information please
# see http://www.spamhaus.org/drop/.
DLIST_SPAMHAUS="0"
DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
DLIST_SPAMHAUS_URL_PROT="http"
# DShield collects data about malicious activity from across the Internet.
# This data is cataloged, summarized and can be used to discover trends in
# activity, confirm widespread attacks, or assist in preparing better firewall
# rules. This is a list of top networks that have exhibited suspicious activity.
DLIST_DSHIELD="0"
DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
DLIST_DSHIELD_URL_PROT="http"
# The reserved networks list is addresses which ARIN has marked as reserved
# for future assignement and have no business as valid traffic on the internet.
# Such addresses are often used as spoofed (Fake) hosts during attacks, this
# will update the reserved networks list in order to prevent new ip assignments
# on the internet from getting blocked; this option is only important when
# BLK_RESNET is set to enabled.
DLIST_RESERVED="1"
DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks"
DLIST_RESERVED_URL_PROT="http"
# ECN is an extension which helps reduce congestion. Unfortunately some
# clueless software/hardware vendors have setup their sites or implemented
# TCP/IP in a very broken manner. If you try to talk to these sites with ECN
# turned on, they will drop all packets from you. This feature uses the ECN
# hall of shame list to turn off ECN in packets to these hosts so your traffic
# is accepted as intended. This option is dependent on setting SYSCTL_ECN="1"
# otherwise it stays disabled.
DLIST_ECNSHAME="0"
DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst"
DLIST_ECNSHAME_URL_PROT="http"
##
# Global Trust
##
# This is an implementation of the trust rules (allow/deny_hosts) but
# on a global perspective. You can define below remote addresses from
# which the glob_allow/deny.rules files should be downloaded from on
# a daily basis. The files can be maintained in a static fashion by
# leaving USE_RGT=0, ideal for a host serving the files.
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules" # glob_allow.rules url (no *://)
GA_URL_PROT="http" # protocol for use with wget
GD_URL="yourhost.com/glob_deny.rules" # glob_deny.rules url (no *://)
GD_URL_PROT="http" # protocol for use with wget
##
# [Logging and control settings]
##
# Log all traffic that is filtered by the firewall
LOG_DROP="0"
# What log level should we send all log data too?
# refer to man syslog.conf for levels
LOG_LEVEL="crit"
# Where should we send all the logging data?
# ULOG (Allow ulogd to handle the logging)
# LOG (Default; sends logging to kernel log)
LOG_TARGET="LOG"
# Log interactive access over telnet & ssh; uses
# custom log prefix of ** SSH ** & ** TELNET **
LOG_IA="1"
# Log all foreign gateway traffic
LOG_LGATE="0"
# Extended logging information; this forces the output of tcp options and
# ip options for packets passing through the log chains
LOG_EXT="0"
# Max firewall events to log per/minute. Log events exceeding these limits
# will be lost (1440 minutes/day * 30 events/minute = 43200 events per/day)
LOG_RATE="30"
# Location of the apf status log; all startup, shutdown and runtime status
# sends outputs to this file
LOG_APF="/var/log/apf_log"
##
# [Import misc. conf]
##
# Internal variable file
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT
Start APF ok ... nhưng khi login vào FTP bằng filezilla or cute thì ko thể truy xất danh sách thư mục ....
Chạy ftp trên web cũng ko load đc ...
Các bạn giúp mình với nhé ! Cảm ơn nhiều !
|
|
|
Bạn vẫn chưa phúc đáp giúp mình các vấn đề mình nêu ra
Thank bạn nhiều lắm !
|
|
|
Thứ 1 mình muốn hỏi :
Các rules trên có chống đc khi bọn chúng dùng tools ddos treo trên VPS, request liên tục vào các file trên. Liệu rules đó mình ghi có đúng không ????
Có rules nào mà khi gặp request trái phép thì deny liền không ?
Thứ 2 mình muốn hỏi :
Như HVA đã nói, dùng Rule : SecRule REQUEST_URI "../" "t:urlDecode,deny"
để deta61tshell thì ok, hấu hết các shell sau khi thực thi, link sẽ có dạng %2%2 ...
Nhưng nếu chạy rules nó, thì không thể load ảnh của website lên được, nó sẽ chặn toàn bộ images trên host của khách, các images đó sẽ thành forbidden
Thứ 3 mình muốn hỏi :
Có thể cho mình xin cái rules chung, chi attacker gởi các packet bất hợp pháp thì deny liền và chặn IP đó, save vào log, unban sau 1 thời gian hoặc có thể cấm luôn nếu tiếp tục request !
Có cách nào giảm tải cho server không ? các process httpd chiếm quá nhiều bộ nhớ ram.
Tối nay check cái HTML tool share by HiSoKa coi nó gởi các gói tin như thế nào thì HVA giúp mình deny nó nhé.
============================
Cảm ơn ADMIN HVA nhiều ạ !
|
|
|
Bài viết của bạn rất hay ....
Có 1 điều mình muốn bạn giúp ...
Mình có 1 forum, nó thường xuyên attack vào register.php, calendar.php, index.php, forum.php, content.php ....
Mình có set rule như thế này :
SecRule IPDOS "@gt 5" "nolog,drop"
SecRule REQUEST_URI "^/calendar\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/calendar\*" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/register\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/register\*" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/index\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/index\.html" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/login\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/content\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/blog\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/forum\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/forumdisplay\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/forumdisplay\*" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/showthread\.php" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
SecRule REQUEST_URI "^/showthread\*" "nolog,phase:1,setvar:ip.ddos=+1,deprecatevar:ip.ddos=5/60,expirevar:ip.ddos=600"
Liệu có chống đc ddos không ? Hiện tại mình dùng JANIDOS tools khi ddos thì các request bị trả về, nhưng với cái này : DDos Attack site down = HTML tool share by HiSoKa
Download : http://www.mediafire.com/?uv62arviphu8zj8
Chỉ là 1 file html bình thường, bấm nút thì ram của server tụt hẳn và 5p sau die liền ....
Bạn có thể giúp mình một số rules để bảo đảm ddos + flood khó thể xâm hại đc ko ?
Cảm ơn nhiều nhé ....
|
|
|
khang0001 wrote:
đã fix thành công lỗi
Pác ? Fix sao thế pác ... mình bị lỗi y chang ... hơn nữa, còn lỗi này nữa
[17:39:45] Info: Starting test name 'group_changes'
[17:39:45] Checking for group file changes [ Warning ]
[17:39:45] Warning: Group 'svtm' has been added to the group file.
[17:39:45] Warning: Group 'kenluv' has been added to the group file.
[17:39:45] Warning: Group 'jaoviet' has been added to the group file.
[17:39:45] Warning: Group 'nct' has been added to the group file.
[17:39:45] Warning: Group 'matthu' has been removed from the group file.
[17:39:45] Checking root account shell history files [ OK ]
[17:39:46]
[17:39:46] Info: Starting test name 'system_configs'
[17:39:46] Performing system configuration file checks
[17:39:46] Checking for SSH configuration file [ Found ]
[17:39:46] Info: Found SSH configuration file: /etc/ssh/sshd_config
[17:39:46] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
[17:39:46] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
[17:39:46] Checking if SSH root access is allowed [ Warning ]
[17:39:46] Warning: The SSH configuration option 'PermitRootLogin' has not been set.
The default value may be 'yes', to allow root access.
[17:39:46] Checking if SSH protocol v1 is allowed [ Not allowed ]
[17:39:46] Checking for running syslog daemon [ Found ]
[17:39:47] Info: Found syslog configuration file: /etc/syslog.conf
[17:39:47] Checking for syslog configuration file [ Found ]
[17:39:47] Checking if syslog remote logging is allowed [ Not allowed ]
[17:39:47]
[17:39:47] Info: Starting test name 'filesystem'
[17:39:47] Performing filesystem checks
[17:39:47] Info: SCAN_MODE_DEV set to 'THOROUGH'
[17:39:47] Checking /dev for suspicious file types [ Warning ]
[17:39:47] Warning: Suspicious file types found in /dev:
[17:39:47] /dev/.udev/uevent_seqnum: ASCII text
[17:39:47] Checking for hidden files and directories [ Warning ]
[17:39:47] Warning: Hidden directory found: '/dev/.udev'
[17:39:47] Warning: Hidden file found: /usr/share/man/man1/..1.gz: gzip compressed data, from Unix, max compression
[17:39:47] Warning: Hidden file found: /usr/bin/.fipscheck.hmac: ASCII text
[17:39:47] Warning: Hidden file found: /usr/bin/.ssh.hmac: ASCII text
[17:39:47] Warning: Hidden file found: /usr/sbin/.sshd.hmac: ASCII text
[17:39:49] Checking version of OpenSSL [ Warning ]
[17:39:49] Warning: Application 'openssl', version '0.9.8e', is out of date, and possibly a security risk.
[17:39:49] Checking version of PHP [ OK ]
[17:39:49] Info: Application 'php' version '5.2.17' found.
[17:39:49] Checking version of Procmail MTA [ OK ]
[17:39:49] Info: Application 'procmail' version '3.22' found.
[17:39:49] Checking version of ProFTPD [ OK ]
[17:39:49] Info: Application 'proftpd' version '1.3.3c' found.
[17:39:49] Checking version of OpenSSH [ Warning ]
[17:39:50] Warning: Application 'sshd', version '4.3p2', is out of date, and possibly a security risk.
[17:39:50] Info: Applications checked: 9 out of 9
[17:00:35] /usr/bin/sha512sum [ Warning ]
[17:00:35] Warning: The file properties have changed:
[17:00:35] File: /usr/bin/sha512sum
[17:00:35] Current hash: 6a934326b709a136f57616de1a6b7244406894e6
[17:00:35] Stored hash : b42f735e8754cab4c5a017e7e3c815535ec3eedb
[17:00:35] Current size: 74660 Stored size: 75748
[17:00:36] Current file modification time: 1232519311 (21-Jan-2009 09:28:31)
[17:00:36] Stored file modification time : 1332333358 (21-Mar-2012 15:35:58)
[17:00:36] /usr/bin/size [ Warning ]
======================================================
Giúp mình fix mấy cái trên nhé !!! Mình cảm ơn nhìu lắm
|
|
|
|
|
|
|