DOS prevention

Andrew Beals andrew.beals at gmail.com
Mon Mar 18 15:12:43 CDT 2013 

If you expose a WordPress or a Windows server in their default settings to
the 'net and don't keep on top of every single patch offered that's
relevant to what you expose, you're asking to be descended upon.

Sophos is claiming that White Hat researchers are keeping the Script
Kiddies in the game:
http://nakedsecurity.sophos.com/2012/12/05/web-exploit-kits-whitehat/


On Mon, Mar 18, 2013 at 3:07 PM, Mark Hutchings <mark.hutchings at gmail.com>wrote:

>  Speaking of which, if you're running any kind of script on your site
> (WordPress, etc) make sure it is up to date.  If there is a 0-day exploit
> out for it, the script kiddies are going down the list on Google searching
> for "Powered by WordPress" and seeing if your server is open to exploits.
> Most of the time this isnt caused by a single IP address, it's usually a
> botnet from around the world, but sometimes it can be.
>
> Any way you could post some of the logs?  Like show what kind of http
> request they were making?
>
> On 3/18/2013 3:01 PM, Andrew Beals wrote:
>
> It his pipe is full, then he has bigger problems than that which J. Random
> Unix Jock can explain over a mass e-mail.  Especially when yum knows not of
> fail2ban.
>
> Serving 404 pages to script kiddies shouldn't Bork a server. It shouldn't
> even put an appreciable load on it. Script kiddies are here to stay, thanks
> to the fringe members of the "information should be free" crowd.  (Just as
> an example, there appear to be about 1.6k copies of The Anarchist Cookbook
> out there, ready for downloading.)
>
> Andy
> Ps. There are too many kittens - please spay/neuter your pets.
>
> Any typos are the direct result of Swiftkey X's autocorrect function.
> On Mar 18, 2013 2:40 PM, "Billy Crook" <billycrook at gmail.com> wrote:
>
>> Every time you use a route table as a firewall, God kills a kitten.
>>
>> If you want a firewall, use..... a firewall.  iptables is the command.
>>
>> If you want something that scales, and won't require your time to
>> maintain a shitlist of IPs; use fail2ban, and it will manage the list
>> per your specifications.
>>
>> Most likely, your DoS is apache-local.  i.e. they aren't actually
>> flooding your entire pipe.  If you use fail2ban/iptables, this should
>> fix you right up.
>>
>> If they are flooding your actual pipe, you need to apply the filter on
>> the far end of your pipe.  i.e. Get your ISP (or a new isp) that will
>> let you administer an ACL on the router on THEIR side of your line.
>> Or get a DDoS prevention service.  Blocking on the sonic wall will
>> have NO affect on a flood if the sonic wall is at the same site as the
>> targeted server.
>>
>> Fail2ban can integrate with this remote filtering too.  You simply
>> modify fail2ban's 'action' to call a script that adds the IP upstream.
>>
>> On Mon, Mar 18, 2013 at 2:27 PM, Andrew Beals <andrew.beals at gmail.com>
>> wrote:
>> > If they're coming from just the single IP, then black-hole'ing their IP
>> is
>> > easier.  If the address they're coming from is 128.115.1.1, then simply
>> > paste this at a shell prompt and give it your password when sudo asks
>> for
>> > it:
>> >
>> > sudo route add 128.115.1.1 gw 127.0.0.1 lo
>> >
>> > This will cause all packets destined to go back to them to get dropped
>> on
>> > the floor and should be sufficient.  You'd really prefer to do this (or
>> just
>> > add them to the naughty list which is something that I believe the SW
>> can
>> > do, even with ancient builds of their SW) on your SonicWall box, but
>> you can
>> > get away with doing it on your server.
>> >
>> > Adding an IP tables (again, if you can't convince your SW to just drop
>> > packets from them) is more efficient, of course, but it's hairier to
>> set up.
>> >
>> >
>> >
>> > On Mon, Mar 18, 2013 at 2:19 PM, J. Wade Michaelis
>> > <jwade at userfriendlytech.net> wrote:
>> >>
>> >> I have a CentOS web server that has recently been brought to a halt on
>> two
>> >> separate occasions.  Checking the access.log, it appears that it was a
>> >> Denial of Service (DOS) attack (hundreds of HTTP requests in a very
>> short
>> >> time, all from a single IP address).
>> >>
>> >> I want to prevent these types of attacks from bringing the server to
>> its
>> >> knees.  We have a hardware firewall (SonicWall) in place, but it isn't
>> quite
>> >> new enough to run the firmware that allows rate-limiting.
>> >>
>> >> I have found a number of tutorials that show how to do this type of
>> thing
>> >> with IPTABLES.  Is there a better solution?
>> >>
>> >> Supposing I go with IPTABLES, do I need to include rules to allow FTP
>> and
>> >> SSH (the only other services on the server)?
>> >>
>> >> Would any of you be willing to assist me with this?
>> >>
>> >> Thanks,
>> >> ~ j.
>> >> jwade at userfriendlytech.net
>> >>
>> >> _______________________________________________
>> >> KCLUG mailing list
>> >> KCLUG at kclug.org
>> >> http://kclug.org/mailman/listinfo/kclug
>> >
>> >
>> >
>> > _______________________________________________
>> > KCLUG mailing list
>> > KCLUG at kclug.org
>> > http://kclug.org/mailman/listinfo/kclug
>>
>
>
> _______________________________________________
> KCLUG mailing listKCLUG at kclug.orghttp://kclug.org/mailman/listinfo/kclug
>
>
>
> _______________________________________________
> KCLUG mailing list
> KCLUG at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kclug.org/pipermail/kclug/attachments/20130318/f3bef6e0/attachment.html>

More information about the KCLUG mailing list