Learn about Centmin Mod LEMP Stack today
Register Now

Security Cloudflare Sysadmin DDOS protection?

Discussion in 'System Administration' started by rc112, Apr 4, 2018.

  1. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:13 PM
    Hi I used this simple and superb tool called vDDOS. Some of you may heard of or tried it before. It is simple than I think but very powerful. I will create a new post about what I got so far.

    vDDoS Proxy Protection
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I haven't used vDDOS myself beyond checking some of the code. So be careful vDDOS installs and runs it's own custom nginx binary build for nginx reverse proxy setup with old openssl version 1.0.2 branch and it can be potentially slower than Centmin Mod build nginx server with openssl version 1.1.0 branch as well the vDDOS nginx binary can also be out of date or behind in terms of nginx versions for bug and security fixes. Also differences in openssl versions also means you may currently loose out on TLS v1.3 support once openssl 1.1.1 final release comes out.

    Also install and setup code is actually masked in installed binary at /usr/bin/vddos so you can't inspect the actual install/commands run on your server as root user.

    I'd test vDDOS on a test server and not live server first.
     
  3. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:13 PM
    yes, I saw that on LET but maybe the author will update openssl and nginx? How to know if it is updated or not? I like it is because it is quite easy to setup up and run also very good at blocking attack based on the benchmark the author introduced. And it is almost free, just cost another 1G RAM and 1CPU server.
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Did my first test install of vDDOS and it uses nginx 1.13.10 and openssl 1.0.2o with python source build 2.7.14 with nginx gunicorn config but on CentOS 7.4 it failed to properly install vdos nginx binary

    my test install on test server with centmin mod 123.09beta01 with addons/auditd.sh enabled to log and try and see what vddos installs on server as per Centmin Mod Auditd Support Added In Latest 123.09beta01

    install & setup auditd with 3 additional custom auditd rules for check /vddos the install directory and another to get /usr/bin/vddos binary - i should add one for /opt directory as seems stuff gets installed there so a 2nd test run is needed

    Code (Text):
    cmupdate
    echo "AUDITD_ENABLE='y'" >> /etc/centminmod/custom_config.inc
    /usr/local/src/centminmod/tools/auditd.sh setup
    echo "-w /vddos -p wa -k vddos" > /etc/audit/rules.d/vddos.rules
    echo "-w /usr/bin/vddos -p x -k vddos-bin" >> /etc/audit/rules.d/vddos.rules
    echo "-w /opt -p wa -k vddos-opt" >> /etc/audit/rules.d/vddos.rules
    /usr/local/src/centminmod/tools/auditd.sh updaterules
    

    auditd vddos rule set
    Code (Text):
    cat /etc/audit/rules.d/vddos.rules                               
    -w /vddos -p wa -k vddos
    -w /usr/bin/vddos -p x -k vddos-bin
    -w /opt -p wa -k vddos-opt


    Install vddos as per duy13/vDDoS-Protection and end up with
    Code (Text):
    /usr/bin/vddos setup
    Start installing vDDoS service for the first time into /vddos
    ...Installing Prepare Package success!
    ...Installing Python success!
    ...[2018-04-07 13:12:41 +0000] [28538] [INFO] Starting gunicorn 19.7.1
    [2018-04-07 13:12:41 +0000] [28538] [INFO] Listening at: http://127.0.0.1:10101 (28538)
    [2018-04-07 13:12:41 +0000] [28538] [INFO] Using worker: sync
    [2018-04-07 13:12:41 +0000] [28546] [INFO] Booting worker with pid: 28546
    [2018-04-07 13:12:41 +0000] [28547] [INFO] Booting worker with pid: 28547
    [2018-04-07 13:12:41 +0000] [28548] [INFO] Booting worker with pid: 28548
    [2018-04-07 13:12:41 +0000] [28549] [INFO] Booting worker with pid: 28549
    [2018-04-07 13:12:41 +0000] [28550] [INFO] Booting worker with pid: 28550
    [2018-04-07 13:12:41 +0000] [28554] [INFO] Booting worker with pid: 28554
    [2018-04-07 13:12:41 +0000] [28555] [INFO] Booting worker with pid: 28555
    [2018-04-07 13:12:41 +0000] [28556] [INFO] Booting worker with pid: 28556
    [2018-04-07 13:12:42 +0000] [28557] [INFO] Booting worker with pid: 28557
    [2018-04-07 13:12:42 +0000] [28558] [INFO] Booting worker with pid: 28558
    Installing vDDoS success!

    however vdos nginx isn't properly installed hence why you should always test on test server first !
    Code (Text):
    /etc/init.d/vdos
    Usage: /etc/init.d/vdos {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}
    
    /etc/init.d/vdos status
    Unit vdos.service could not be found.
    
    ls -lah /etc/init.d/vdos
    -rwx------ 1 root root 1.6K Apr  2 03:30 /etc/init.d/vdos
    

    vddos nginx config check, it's missing /vddos/vddos.conf which is i assume the nginx.conf equivalent

    from auditd logging somewhere in /usr/bin/vddos setup routine it unlink removed /vddos/vddos.conf for some reason ? but as all of the script is masked no one can inspect code to see what's going on !
    Code (Text):
    ausearch -k vddos | aureport -f -i | fgrep 'vddos.conf'
    32. 04/07/2018 12:56:50 /vddos/vddos.conf open yes /usr/bin/cp root 2987
    44. 04/07/2018 12:57:06 /vddos/vddos.conf unlinkat yes /usr/bin/rm root 3014

    Code (Text):
    ausearch -k vddos -f /vddos/vddos.conf
    ----
    time->Sat Apr  7 12:56:50 2018
    type=PROCTITLE msg=audit(1523105810.677:2987): proctitle=637000636F6E662F6E67696E782E636F6E66002F7664646F732F7664646F732E636F6E66
    type=PATH msg=audit(1523105810.677:2987): item=1 name="/vddos/vddos.conf" inode=37863027 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE
    type=PATH msg=audit(1523105810.677:2987): item=0 name="/vddos/" inode=35571037 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
    type=CWD msg=audit(1523105810.677:2987):  cwd="/vddos/vdos"
    type=SYSCALL msg=audit(1523105810.677:2987): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe29f89759 a1=c1 a2=1a4 a3=7ffe29f86ae0 items=2 ppid=15149 pid=15150 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/usr/bin/cp" key="vddos"
    ----
    time->Sat Apr  7 12:57:06 2018
    type=PROCTITLE msg=audit(1523105826.881:3014): proctitle=726D002D7266002F7664646F732F7664646F732E636F6E66
    type=PATH msg=audit(1523105826.881:3014): item=1 name="/vddos/vddos.conf" inode=37863027 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE
    type=PATH msg=audit(1523105826.881:3014): item=0 name="/vddos/" inode=35571037 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
    type=CWD msg=audit(1523105826.881:3014):  cwd=2F7664646F732F76646F73202864656C6574656429
    type=SYSCALL msg=audit(1523105826.881:3014): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=258f0c0 a2=0 a3=7ffd1483d0e0 items=2 ppid=3112 pid=15170 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="rm" exe="/usr/bin/rm" key="vddos"

    Code (Text):
    /vddos/vddos -t
    nginx: [emerg] open() "/vddos/vddos.conf" failed (2: No such file or directory)
    nginx: configuration file /vddos/vddos.conf test failed

    vdos nginx directory
    Code (Text):
    ls -lah /vddos
    total 13M
    drwxr-xr-x   8 root root 4.0K Apr  7 13:12 .
    dr-xr-xr-x. 19 root root 4.0K Apr  7 12:38 ..
    drwxr-xr-x   2 root root   74 Apr  2 03:34 attack
    drwxr-xr-x   2 root root 4.0K Apr  7 13:12 captcha
    drwxr-xr-x   3 root root 4.0K Apr  7 13:12 conf.d
    -rw-r--r--   1 root root 1.1K Apr  7 12:56 fastcgi.conf
    -rw-r--r--   1 root root 1007 Apr  7 12:56 fastcgi_params
    drwxr-xr-x   3 root root  108 Apr  7 05:07 html
    -rw-r--r--   1 root root 2.8K Apr  7 12:56 koi-utf
    -rw-r--r--   1 root root 2.2K Apr  7 12:56 koi-win
    drwxr-xr-x   3 root root   24 Apr  7 13:12 letsencrypt
    -rw-r--r--   1 root root 5.1K Apr  7 12:56 mime.types
    lrwxrwxrwx   1 root root   24 Apr  7 12:57 modules -> /usr/lib64/vddos/modules
    -rw-r--r--   1 root root 5.7K Mar 20 08:41 naxsi_core.rules
    -rw-r--r--   1 root root  636 Apr  7 12:56 scgi_params
    drwxr-x---   2 root root   58 Apr  7 12:57 ssl
    -rw-r--r--   1 root root  664 Apr  7 12:56 uwsgi_params
    -rwxr-xr-x   1 root root  13M Apr  7 12:56 vddos
    -rw-r--r--   1 root root 3.6K Apr  7 12:56 win-utf

    vdos nginx module directory missing
    Code (Text):
    ls -lah /usr/lib64/vddos/modules
    ls: cannot access /usr/lib64/vddos/modules: No such file or directory

    check auditd setup rules to see what vddos-bin and vddos auditd keys return

    For vddos-bin key
    Code (Text):
    ausearch -k vddos-bin | aureport -f -i
    
    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1197
    2. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1196
    3. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1205
    4. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1206

    For vddos key
    Code (Text):
    ausearch -k vddos | aureport -f -i
    
    File Report
    ===============================================
    # date time file syscall success exe auid event
    ===============================================
    1. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1197
    2. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1196
    3. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1205
    4. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1206
    5. 04/07/2018 12:38:50 vddos mkdirat yes /usr/bin/tar root 1487
    6. 04/07/2018 12:38:50 vddos/vdos.sh openat yes /usr/bin/tar root 1488
    7. 04/07/2018 12:38:50 vddos/Python-2.7.14 mkdirat yes /usr/bin/tar root 1489
    8. 04/07/2018 12:38:50 /vddos ? yes ? root 1486
    9. 04/07/2018 12:38:53 vddos/openssl-1.0.2o mkdirat yes /usr/bin/tar root 1490
    10. 04/07/2018 12:38:54 vddos/attack mkdirat yes /usr/bin/tar root 1491
    11. 04/07/2018 12:38:54 vddos/vdos mkdirat yes /usr/bin/tar root 1492
    12. 04/07/2018 12:38:55 vddos/html mkdirat yes /usr/bin/tar root 1493
    13. 04/07/2018 12:38:55 vddos/captcha mkdirat yes /usr/bin/tar root 1494
    14. 04/07/2018 12:38:55 vddos/conf.d mkdirat yes /usr/bin/tar root 1495
    15. 04/07/2018 12:38:55 vddos fchownat yes /usr/bin/tar root 1496
    16. 04/07/2018 12:38:55 vddos fchmodat yes /usr/bin/tar root 1497
    17. 04/07/2018 12:39:53 ../ unlinkat no /usr/bin/rm root 1609
    18. 04/07/2018 12:56:50 /vddos/koi-win open yes /usr/bin/cp root 2974
    19. 04/07/2018 12:56:50 /vddos/koi-utf open yes /usr/bin/cp root 2975
    20. 04/07/2018 12:56:50 /vddos/vddos open yes /usr/bin/cp root 2973
    21. 04/07/2018 12:56:50 /vddos/win-utf open yes /usr/bin/cp root 2976
    22. 04/07/2018 12:56:50 /vddos/mime.types open yes /usr/bin/cp root 2977
    23. 04/07/2018 12:56:50 /vddos/mime.types.default open yes /usr/bin/cp root 2978
    24. 04/07/2018 12:56:50 /vddos/fastcgi_params open yes /usr/bin/cp root 2979
    25. 04/07/2018 12:56:50 /vddos/fastcgi_params.default open yes /usr/bin/cp root 2980
    26. 04/07/2018 12:56:50 /vddos/fastcgi.conf open yes /usr/bin/cp root 2981
    27. 04/07/2018 12:56:50 /vddos/fastcgi.conf.default open yes /usr/bin/cp root 2982
    28. 04/07/2018 12:56:50 /vddos/uwsgi_params open yes /usr/bin/cp root 2983
    29. 04/07/2018 12:56:50 /vddos/uwsgi_params.default open yes /usr/bin/cp root 2984
    30. 04/07/2018 12:56:50 /vddos/scgi_params open yes /usr/bin/cp root 2985
    31. 04/07/2018 12:56:50 /vddos/scgi_params.default open yes /usr/bin/cp root 2986
    32. 04/07/2018 12:56:50 /vddos/vddos.conf open yes /usr/bin/cp root 2987
    33. 04/07/2018 12:56:50 /vddos/nginx.conf.default open yes /usr/bin/cp root 2988
    34. 04/07/2018 12:57:05 /vddos mkdir no /usr/bin/mkdir root 3004
    35. 04/07/2018 12:57:05 /vddos/naxsi_core.rules rename yes /usr/bin/mv root 3005
    36. 04/07/2018 12:57:06 /vddos/vdos unlinkat yes /usr/bin/rm root 3006
    37. 04/07/2018 12:57:06 /vddos/fastcgi.conf.default unlinkat yes /usr/bin/rm root 3007
    38. 04/07/2018 12:57:06 /vddos/fastcgi_params.default unlinkat yes /usr/bin/rm root 3008
    39. 04/07/2018 12:57:06 /vddos/mime.types.default unlinkat yes /usr/bin/rm root 3009
    40. 04/07/2018 12:57:06 /vddos/nginx.conf.default unlinkat yes /usr/bin/rm root 3010
    41. 04/07/2018 12:57:06 /vddos/scgi_params.default unlinkat yes /usr/bin/rm root 3011
    42. 04/07/2018 12:57:06 /vddos/uwsgi_params.default unlinkat yes /usr/bin/rm root 3012
    43. 04/07/2018 12:57:06 /vddos/openssl-1.0.2o unlinkat yes /usr/bin/rm root 3013
    44. 04/07/2018 12:57:06 /vddos/vddos.conf unlinkat yes /usr/bin/rm root 3014
    45. 04/07/2018 12:57:06 /etc/init.d/vdos rename yes /usr/bin/mv root 3015
    46. 04/07/2018 12:57:06 /vddos mkdir no /usr/bin/mkdir root 3016
    47. 04/07/2018 12:57:06 ssl mkdir yes /usr/bin/mkdir root 3017
    48. 04/07/2018 12:57:07 /opt/Python-2.7.14 rename yes /usr/bin/mv root 

    direct check of /vddos/vddos binary
    Also vddos nginx proxy runs as vddos system user so already looses out on alot of Centmin Mod Nginx's nginx scaling optimisations to handle higher levels of concurrent load.

    Hence why you should always test on test server first !

    update: seems @duy13 designed vddos that way to remove /vddos/vddos.conf and nginx service isn't used according to failed to install vddos nginx on centos 7 · Issue #22 · duy13/vDDoS-Protection as duy13 created a separate testcookie implementation for Centmin Mod which i haven't tried yet
     
    • Winner Winner x 1
    • Informative Informative x 1
  5. pamamolf

    pamamolf Premium Member Premium Member

    3,482
    335
    83
    May 31, 2014
    Ratings:
    +642
    Local Time:
    6:13 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Wondering how is it possible to mask a script and users not be able to see what it does?

    How they do that?

    I thought at Linux all is visible....
     
  6. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    bash scripts can be masked, I do this for some of monitoring and analysis scripts I use for paid client work :) See if you can google-fu for the info ;)
     
    • Like Like x 1
  7. Oxide

    Oxide Active Member

    516
    29
    28
    Mar 19, 2015
    Ratings:
    +54
    Local Time:
    1:13 AM
    CloudFlare is the best alternative, it's also free. Scurci or other services are rip-off versions of CloudFlare.

    CloudFlare also has the biggest global network and cdn. Providers like scuri rent servers with other third parties like OVH.
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    seems @duy13 designed vddos that way to remove /vddos/vddos.conf and nginx service isn't used according to failed to install vddos nginx on centos 7 · Issue #22 · duy13/vDDoS-Protection as duy13 created a separate testcookie implementation for Centmin Mod which i haven't tried yet
    yeah Sucuri isn't as fast as Cloudflare
     
  9. robert syputa

    robert syputa Member

    70
    13
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +38
    Local Time:
    11:13 AM
    latest
    10
    Many VPS hosts provide DOS... or they advertise that they provide it. However, I don't know how to judge how well a VPS or other host DOS works.
     
  10. robert syputa

    robert syputa Member

    70
    13
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +38
    Local Time:
    11:13 AM
    latest
    10
    The use of a broad-pipe service such as CloudFlare can find attacks that occur across a large number of IPs but offer no real advantage over CSF for site-specific or limited IP range attacks. CSF has DOS capability but it relies on hits on your IP/domain. It has distributed DOS as well, however, that requires more repetitive hits on the IP than a broad-pipe has the bandwidth to sniff out as it can see the same IPs hitting the multiple hosted IPs. Tight settings in CSF distributed DOS could cause dropping of legitimate visitors/subscribers.
     
    • Agree Agree x 1
  11. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Unfortunately very true as banning based up on IP address won't work 100% due to IP spoofing and shared IP usage.
     
  12. pamamolf

    pamamolf Premium Member Premium Member

    3,482
    335
    83
    May 31, 2014
    Ratings:
    +642
    Local Time:
    6:13 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Checking on Google i found only sch script but as i can see it is very easy to crack it and get the source code so didn't found anything good :)
     
  13. robert syputa

    robert syputa Member

    70
    13
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +38
    Local Time:
    11:13 AM
    latest
    10
    Thus far I have not had a DOS or DDOS attack that Configserver firewall CSF didn't prevent. I have noticed what looked like DDOS attempt - a high volume of hits on a particular port or multiple ports from a block of IPs or originating from one country. But this wasn't a performance problem before the IPs were dropped/banned. The host VPS advertises DOS/DDOS but I can't see the log reports to see if its working. All I do now is occasionally review the logs to see if something unusual is happening.
     
  14. rc112

    rc112 Member

    126
    14
    18
    Sep 22, 2017
    Ratings:
    +15
    Local Time:
    11:13 PM
    @eva2000 Thank you so much for your deep investigation on this. Look like the author has updated the ngxin and openssl. Besides, I think this is the best and almost free solution against DDOS. I can work with Cloudflare(free/paid). Cloudflare support unlimited bandwidth with layer 4 and vDDOS can handle Layer 7.

    It also support layer 3/4 block with additional addon.
    duy13/vDDoS-Layer4-Mapping

    Even thought I got 404 error after finish recaptcha verification and I havent got reply from the author yet.

    Another useful tool: VDSTAT in his github which can help identify the attacker ip.
     
  15. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Nice. It's should be relatively easy to whip up a script for Centmin Mod servers i.e. just wrote netstat-info.sh at netstat display info for centminmod.com. It properly accounts for servers with more than one network card too. Will update to add for network packets in/out too :)

    Code (Text):
    curl -sL https://gist.github.com/centminmod/73b730edaa13b636c87ae4b63cdafeea/raw/netstat-info.sh | bash
    
    Network Bandwidth In/Out (KB/s):
    eth0  In:  0.05  Out:  0.00
    eth1  In:  0.00  Out:  0.00
    eth2  In:  0.00  Out:  0.00
    
    Network Packets   In/Out (pps):
    eth0  In:  1.00  Out:  1.00
    eth1  In:  0.00  Out:  0.00
    eth2  In:  0.00  Out:  0.00
    
    Total Connections For:
    Port 80:   1
    Port 443:  1
    
    Unique IP Connections For:
    Port 80:   0
    Port 443:  0
    
    Established Connections For:
    Port 80:   0
    Port 443:  0
    
    TIME_WAIT Connections For:
    Port 80:   0
    Port 443:  0
    
    Top IP Address Connections:
    1  127.0.0.1        localhost
    
     
    • Like Like x 3
  16. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    • Like Like x 3
  17. robert syputa

    robert syputa Member

    70
    13
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +38
    Local Time:
    11:13 AM
    latest
    10
    I have read that many VPS service providers have put a DDOS shield in place because they find that this reduces the ticket requests from their clients and is relatively easy to provide on KVM, LXC etc. VPS. My personal experience has been that the VPS providers now provide this as a standard feature.

    The thread is about Cloudflare and DOS/DDOS. However, the alternative is to use a VPS with DDOS combined with CSF and WP or another application-based firewall. I have not used CloudFlare for a few years but had found it to have problems and I like to have more control... or think that I have more control. 'If it ain't broke, don't fix it' - until I run into a DOS/DDOS problem that is not handled by the combination of the VPS host DDOS, CDN DDOS as used for specific classes of content, CSF with limited open ports, and wp and other applications firewalls I won't use Cloudflare.

    Some blogs point out that use of a single approach, such as a generalized use of content delivery networks, can be problematic: 5 common misconceptions about DDoS protection | ITProPortal

    This points out that a multi-layered approach is needed. CDN has the benefit of seeing a big pipe of traffic. However, that can cause its own problems of not being able to spot selective DDOS attacks. DDOS attacks can be either broadly targeted or selectively targeted. If selectively targeted, say at sites that have been spidered to determine the use of a specific app such as Wordpress, that may go undetected by CDN or other broad pipe protection scheme.

    I suggest a combination of server-based/HOST DDOS, CSF or another server firewall, Clamav (see centminmod addons folder) then consider use of CDN that provides the best performance and app-specific firewalls and file monitoring.
     
  18. eva2000

    eva2000 Administrator Staff Member

    41,759
    9,401
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,446
    Local Time:
    1:13 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah having VPS or dedicated with native DDOS protection helps but remember not all DDOS mitigation solutions are created equal. I know that BuyVM.net's DDOS protection is one of the better ones for VPSes (my referral link :)). BuyVM is very much unmanaged so expect no support other than for network or server hardware related issues.

    • BuyVM - DDoS Protection - make sure DDOS protected IP is not primary IP on BuyVM VPS server but the secondary IP as primary IP needs to be non-DDOS protected one. So in Centmin Mod 123.09beta01, you'll need to make use of SECOND_IP variable to set DDOS protected IP for SECOND_IP for default nginx vhost creation Upgrade - Nginx - Redis - Insight Guide - Adding Additional IP Addresses
    • gre_tunnel [Frantech/BuyVM Wiki] instructions are more geared to debian/ubuntu as opposed to centos. I am using BuyVM.net DDOS protection remotely via Gre Tunnel setup in combination with Sucuri for layer 7 via cloudproxy. If you're doing Gre tunneling I would test on test servers first until you get it right otherwise you could screw up your live production servers. Took me a few attempts to get it right on test VPS servers with Sucuri cloudproxy for layer 7 and any leaked IP attacks BuyVM DDOS protection should handle i.e. Xenforo HTTP Forward proxy for proxied images. BuyVM.net will not provide any support as they're unmanaged so need to figure it out yourself. BuyVM.net DDOS protection can also do layer 7 HTTP reverse proxy like Sucuri but it was much slower on the front end visiting site/forums then Sucuri cloudproxy. But most folks won't need to use Gre tunnels if their origin site is on BuyVM DDOS protected VPS. It's only needed if you want to use BuyVM DDOS Protected VPS IP to protect a remote server like hosted on Linode etc :)
    • Also beware of bug in BuyVM centos templates where you are unable to SSH into server after fresh OS install/reinstall due to networking service defaulting to off instead of on. See BuyVM.net - Benchmarks - BuyVM.net New KVM Plans on Intel Xeon E3-1270v3 Host Nodes!. Not sure if that has been fixed as I only have a few BuyVM VPSes running.
    Old BuyVM.net slices VPS review at BuyVM.net - Benchmarks - BuyVM.net New KVM Plans on Intel Xeon E3-1270v3 Host Nodes!. Unfortunately, it can get expensive if you want at least 2 cpu core KVM Slices VPS. 1/4 and 1/2 core Slices probably not enough cpu share time for any moderately busy server from my experience so at least 1 or 2 cpu cores really needed. So 8192MB Slice KVM VPS with 160GB SSD + DDOS protected IP would be 30 + 3 = US$33/month

    upload_2018-4-10_2-31-8.png
     
    • Informative Informative x 1
  19. robert syputa

    robert syputa Member

    70
    13
    8
    Jan 18, 2018
    Seattle
    Ratings:
    +38
    Local Time:
    11:13 AM
    latest
    10
    Thanks Eva! Very useful information. I will put it into my toolbox.
     
  20. Silv3er

    Silv3er New Member

    9
    1
    3
    Feb 7, 2018
    Ratings:
    +8
    Local Time:
    11:13 AM
    Nginx 1.15.x
    MariaDB 10.x
    I use Sucuri since 8 months, I am founder of a big forum and I was the target layer7 attack very often. Since I combined Cloudflare with Sucuri. My forum is no longer DDOS Layer 7.

    I use Sucuri Website Firewall | WAF and Website Malware Protection The $9.99 plan is more than enough to block DDOS Layer 7!!

    Sincerely
     
    • Informative Informative x 2