Security Cloudflare Sysadmin DDOS protection?

rc112 · Apr 7, 2018

Hi I used this simple and superb tool called vDDOS. Some of you may heard of or tried it before. It is simple than I think but very powerful. I will create a new post about what I got so far.

vDDoS Proxy Protection

eva2000 · Apr 7, 2018

rc112 said: ↑

Hi I used this simple and superb tool called vDDOS. Some of you may heard of or tried it before. It is simple than I think but very powerful. I will create a new post about what I got so far.

vDDoS Proxy Protection
Click to expand...

I haven't used vDDOS myself beyond checking some of the code. So be careful vDDOS installs and runs it's own custom nginx binary build for nginx reverse proxy setup with old openssl version 1.0.2 branch and it can be potentially slower than Centmin Mod build nginx server with openssl version 1.1.0 branch as well the vDDOS nginx binary can also be out of date or behind in terms of nginx versions for bug and security fixes. Also differences in openssl versions also means you may currently loose out on TLS v1.3 support once openssl 1.1.1 final release comes out.

Also install and setup code is actually masked in installed binary at /usr/bin/vddos so you can't inspect the actual install/commands run on your server as root user.

I'd test vDDOS on a test server and not live server first.

rc112 · Apr 7, 2018

eva2000 said: ↑

I haven't used vDDOS myself beyond checking some of the code. So be careful vDDOS installs and runs it's own custom nginx binary build for nginx reverse proxy setup with old openssl version 1.0.2 branch and it can be potentially slower than Centmin Mod build nginx server with openssl version 1.1.0 branch as well the vDDOS nginx binary can also be out of date or behind in terms of nginx versions for bug and security fixes. Also differences in openssl versions also means you may currently loose out on TLS v1.3 support once openssl 1.1.1 final release comes out. I'd test vDDOS on a test server and not live server first.
Click to expand...

yes, I saw that on LET but maybe the author will update openssl and nginx? How to know if it is updated or not? I like it is because it is quite easy to setup up and run also very good at blocking attack based on the benchmark the author introduced. And it is almost free, just cost another 1G RAM and 1CPU server.

eva2000 · Apr 7, 2018

Did my first test install of vDDOS and it uses nginx 1.13.10 and openssl 1.0.2o with python source build 2.7.14 with nginx gunicorn config but on CentOS 7.4 it failed to properly install vdos nginx binary

my test install on test server with centmin mod 123.09beta01 with addons/auditd.sh enabled to log and try and see what vddos installs on server as per Centmin Mod Auditd Support Added In Latest 123.09beta01

install & setup auditd with 3 additional custom auditd rules for check /vddos the install directory and another to get /usr/bin/vddos binary - i should add one for /opt directory as seems stuff gets installed there so a 2nd test run is needed

Code (Text):

cmupdate
echo "AUDITD_ENABLE='y'" >> /etc/centminmod/custom_config.inc
/usr/local/src/centminmod/tools/auditd.sh setup
echo "-w /vddos -p wa -k vddos" > /etc/audit/rules.d/vddos.rules
echo "-w /usr/bin/vddos -p x -k vddos-bin" >> /etc/audit/rules.d/vddos.rules
echo "-w /opt -p wa -k vddos-opt" >> /etc/audit/rules.d/vddos.rules
/usr/local/src/centminmod/tools/auditd.sh updaterules

auditd vddos rule set

Code (Text):

cat /etc/audit/rules.d/vddos.rules                               
-w /vddos -p wa -k vddos
-w /usr/bin/vddos -p x -k vddos-bin
-w /opt -p wa -k vddos-opt

Install vddos as per duy13/vDDoS-Protection and end up with

Code (Text):

/usr/bin/vddos setup
Start installing vDDoS service for the first time into /vddos
...Installing Prepare Package success!
...Installing Python success!
...[2018-04-07 13:12:41 +0000] [28538] [INFO] Starting gunicorn 19.7.1
[2018-04-07 13:12:41 +0000] [28538] [INFO] Listening at: http://127.0.0.1:10101 (28538)
[2018-04-07 13:12:41 +0000] [28538] [INFO] Using worker: sync
[2018-04-07 13:12:41 +0000] [28546] [INFO] Booting worker with pid: 28546
[2018-04-07 13:12:41 +0000] [28547] [INFO] Booting worker with pid: 28547
[2018-04-07 13:12:41 +0000] [28548] [INFO] Booting worker with pid: 28548
[2018-04-07 13:12:41 +0000] [28549] [INFO] Booting worker with pid: 28549
[2018-04-07 13:12:41 +0000] [28550] [INFO] Booting worker with pid: 28550
[2018-04-07 13:12:41 +0000] [28554] [INFO] Booting worker with pid: 28554
[2018-04-07 13:12:41 +0000] [28555] [INFO] Booting worker with pid: 28555
[2018-04-07 13:12:41 +0000] [28556] [INFO] Booting worker with pid: 28556
[2018-04-07 13:12:42 +0000] [28557] [INFO] Booting worker with pid: 28557
[2018-04-07 13:12:42 +0000] [28558] [INFO] Booting worker with pid: 28558
Installing vDDoS success!

however vdos nginx isn't properly installed hence why you should always test on test server first !

Code (Text):

/etc/init.d/vdos
Usage: /etc/init.d/vdos {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}

/etc/init.d/vdos status
Unit vdos.service could not be found.

ls -lah /etc/init.d/vdos
-rwx------ 1 root root 1.6K Apr  2 03:30 /etc/init.d/vdos

vddos nginx config check, it's missing /vddos/vddos.conf which is i assume the nginx.conf equivalent

from auditd logging somewhere in /usr/bin/vddos setup routine it unlink removed /vddos/vddos.conf for some reason ? but as all of the script is masked no one can inspect code to see what's going on !

Code (Text):

ausearch -k vddos | aureport -f -i | fgrep 'vddos.conf'
32. 04/07/2018 12:56:50 /vddos/vddos.conf open yes /usr/bin/cp root 2987
44. 04/07/2018 12:57:06 /vddos/vddos.conf unlinkat yes /usr/bin/rm root 3014

Code (Text):

ausearch -k vddos -f /vddos/vddos.conf
----
time->Sat Apr  7 12:56:50 2018
type=PROCTITLE msg=audit(1523105810.677:2987): proctitle=637000636F6E662F6E67696E782E636F6E66002F7664646F732F7664646F732E636F6E66
type=PATH msg=audit(1523105810.677:2987): item=1 name="/vddos/vddos.conf" inode=37863027 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=CREATE
type=PATH msg=audit(1523105810.677:2987): item=0 name="/vddos/" inode=35571037 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
type=CWD msg=audit(1523105810.677:2987):  cwd="/vddos/vdos"
type=SYSCALL msg=audit(1523105810.677:2987): arch=c000003e syscall=2 success=yes exit=4 a0=7ffe29f89759 a1=c1 a2=1a4 a3=7ffe29f86ae0 items=2 ppid=15149 pid=15150 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="cp" exe="/usr/bin/cp" key="vddos"
----
time->Sat Apr  7 12:57:06 2018
type=PROCTITLE msg=audit(1523105826.881:3014): proctitle=726D002D7266002F7664646F732F7664646F732E636F6E66
type=PATH msg=audit(1523105826.881:3014): item=1 name="/vddos/vddos.conf" inode=37863027 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=DELETE
type=PATH msg=audit(1523105826.881:3014): item=0 name="/vddos/" inode=35571037 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT
type=CWD msg=audit(1523105826.881:3014):  cwd=2F7664646F732F76646F73202864656C6574656429
type=SYSCALL msg=audit(1523105826.881:3014): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=258f0c0 a2=0 a3=7ffd1483d0e0 items=2 ppid=3112 pid=15170 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="rm" exe="/usr/bin/rm" key="vddos"

Code (Text):

/vddos/vddos -t
nginx: [emerg] open() "/vddos/vddos.conf" failed (2: No such file or directory)
nginx: configuration file /vddos/vddos.conf test failed

vdos nginx directory

Code (Text):

ls -lah /vddos
total 13M
drwxr-xr-x   8 root root 4.0K Apr  7 13:12 .
dr-xr-xr-x. 19 root root 4.0K Apr  7 12:38 ..
drwxr-xr-x   2 root root   74 Apr  2 03:34 attack
drwxr-xr-x   2 root root 4.0K Apr  7 13:12 captcha
drwxr-xr-x   3 root root 4.0K Apr  7 13:12 conf.d
-rw-r--r--   1 root root 1.1K Apr  7 12:56 fastcgi.conf
-rw-r--r--   1 root root 1007 Apr  7 12:56 fastcgi_params
drwxr-xr-x   3 root root  108 Apr  7 05:07 html
-rw-r--r--   1 root root 2.8K Apr  7 12:56 koi-utf
-rw-r--r--   1 root root 2.2K Apr  7 12:56 koi-win
drwxr-xr-x   3 root root   24 Apr  7 13:12 letsencrypt
-rw-r--r--   1 root root 5.1K Apr  7 12:56 mime.types
lrwxrwxrwx   1 root root   24 Apr  7 12:57 modules -> /usr/lib64/vddos/modules
-rw-r--r--   1 root root 5.7K Mar 20 08:41 naxsi_core.rules
-rw-r--r--   1 root root  636 Apr  7 12:56 scgi_params
drwxr-x---   2 root root   58 Apr  7 12:57 ssl
-rw-r--r--   1 root root  664 Apr  7 12:56 uwsgi_params
-rwxr-xr-x   1 root root  13M Apr  7 12:56 vddos
-rw-r--r--   1 root root 3.6K Apr  7 12:56 win-utf

vdos nginx module directory missing

Code (Text):

ls -lah /usr/lib64/vddos/modules
ls: cannot access /usr/lib64/vddos/modules: No such file or directory

check auditd setup rules to see what vddos-bin and vddos auditd keys return

For vddos-bin key

Code (Text):

ausearch -k vddos-bin | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1197
2. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1196
3. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1205
4. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1206

For vddos key

Code (Text):

ausearch -k vddos | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1197
2. 04/07/2018 12:27:58 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1196
3. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1205
4. 04/07/2018 12:31:31 /lib64/ld-linux-x86-64.so.2 execve yes /usr/bin/vddos root 1206
5. 04/07/2018 12:38:50 vddos mkdirat yes /usr/bin/tar root 1487
6. 04/07/2018 12:38:50 vddos/vdos.sh openat yes /usr/bin/tar root 1488
7. 04/07/2018 12:38:50 vddos/Python-2.7.14 mkdirat yes /usr/bin/tar root 1489
8. 04/07/2018 12:38:50 /vddos ? yes ? root 1486
9. 04/07/2018 12:38:53 vddos/openssl-1.0.2o mkdirat yes /usr/bin/tar root 1490
10. 04/07/2018 12:38:54 vddos/attack mkdirat yes /usr/bin/tar root 1491
11. 04/07/2018 12:38:54 vddos/vdos mkdirat yes /usr/bin/tar root 1492
12. 04/07/2018 12:38:55 vddos/html mkdirat yes /usr/bin/tar root 1493
13. 04/07/2018 12:38:55 vddos/captcha mkdirat yes /usr/bin/tar root 1494
14. 04/07/2018 12:38:55 vddos/conf.d mkdirat yes /usr/bin/tar root 1495
15. 04/07/2018 12:38:55 vddos fchownat yes /usr/bin/tar root 1496
16. 04/07/2018 12:38:55 vddos fchmodat yes /usr/bin/tar root 1497
17. 04/07/2018 12:39:53 ../ unlinkat no /usr/bin/rm root 1609
18. 04/07/2018 12:56:50 /vddos/koi-win open yes /usr/bin/cp root 2974
19. 04/07/2018 12:56:50 /vddos/koi-utf open yes /usr/bin/cp root 2975
20. 04/07/2018 12:56:50 /vddos/vddos open yes /usr/bin/cp root 2973
21. 04/07/2018 12:56:50 /vddos/win-utf open yes /usr/bin/cp root 2976
22. 04/07/2018 12:56:50 /vddos/mime.types open yes /usr/bin/cp root 2977
23. 04/07/2018 12:56:50 /vddos/mime.types.default open yes /usr/bin/cp root 2978
24. 04/07/2018 12:56:50 /vddos/fastcgi_params open yes /usr/bin/cp root 2979
25. 04/07/2018 12:56:50 /vddos/fastcgi_params.default open yes /usr/bin/cp root 2980
26. 04/07/2018 12:56:50 /vddos/fastcgi.conf open yes /usr/bin/cp root 2981
27. 04/07/2018 12:56:50 /vddos/fastcgi.conf.default open yes /usr/bin/cp root 2982
28. 04/07/2018 12:56:50 /vddos/uwsgi_params open yes /usr/bin/cp root 2983
29. 04/07/2018 12:56:50 /vddos/uwsgi_params.default open yes /usr/bin/cp root 2984
30. 04/07/2018 12:56:50 /vddos/scgi_params open yes /usr/bin/cp root 2985
31. 04/07/2018 12:56:50 /vddos/scgi_params.default open yes /usr/bin/cp root 2986
32. 04/07/2018 12:56:50 /vddos/vddos.conf open yes /usr/bin/cp root 2987
33. 04/07/2018 12:56:50 /vddos/nginx.conf.default open yes /usr/bin/cp root 2988
34. 04/07/2018 12:57:05 /vddos mkdir no /usr/bin/mkdir root 3004
35. 04/07/2018 12:57:05 /vddos/naxsi_core.rules rename yes /usr/bin/mv root 3005
36. 04/07/2018 12:57:06 /vddos/vdos unlinkat yes /usr/bin/rm root 3006
37. 04/07/2018 12:57:06 /vddos/fastcgi.conf.default unlinkat yes /usr/bin/rm root 3007
38. 04/07/2018 12:57:06 /vddos/fastcgi_params.default unlinkat yes /usr/bin/rm root 3008
39. 04/07/2018 12:57:06 /vddos/mime.types.default unlinkat yes /usr/bin/rm root 3009
40. 04/07/2018 12:57:06 /vddos/nginx.conf.default unlinkat yes /usr/bin/rm root 3010
41. 04/07/2018 12:57:06 /vddos/scgi_params.default unlinkat yes /usr/bin/rm root 3011
42. 04/07/2018 12:57:06 /vddos/uwsgi_params.default unlinkat yes /usr/bin/rm root 3012
43. 04/07/2018 12:57:06 /vddos/openssl-1.0.2o unlinkat yes /usr/bin/rm root 3013
44. 04/07/2018 12:57:06 /vddos/vddos.conf unlinkat yes /usr/bin/rm root 3014
45. 04/07/2018 12:57:06 /etc/init.d/vdos rename yes /usr/bin/mv root 3015
46. 04/07/2018 12:57:06 /vddos mkdir no /usr/bin/mkdir root 3016
47. 04/07/2018 12:57:06 ssl mkdir yes /usr/bin/mkdir root 3017
48. 04/07/2018 12:57:07 /opt/Python-2.7.14 rename yes /usr/bin/mv root

direct check of /vddos/vddos binary

/vddos/vddos -V
nginx version: nginx/1.13.10
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2o 27 Mar 2018
TLS SNI support enabled
configure arguments: --prefix=/vddos --sbin-path=/vddos/vddos --modules-path=/usr/lib64/vddos/modules --conf-path=/vddos/vddos.conf --error-log-path=/var/log/vddos/error.log --http-log-path=/var/log/vddos/access.log --pid-path=/var/run/vddos.pid --lock-path=/var/run/vddos.lock --http-client-body-temp-path=/var/cache/vddos/client_temp --http-proxy-temp-path=/var/cache/vddos/proxy_temp --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --user=vddos --group=vddos --with-compat --with-file-aio --with-threads --with-stream --with-http_realip_module --with-http_ssl_module --with-http_v2_module --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --with-http_geoip_module --with-stream_geoip_module --with-http_stub_status_module --add-module=vts --add-module=sts --add-module=sts-core --add-module=waf/naxsi_src --add-module=testcookie --with-openssl=/vddos/openssl-1.0.2o
Click to expand...

Also vddos nginx proxy runs as vddos system user so already looses out on alot of Centmin Mod Nginx's nginx scaling optimisations to handle higher levels of concurrent load.

Hence why you should always test on test server first !

update: seems @duy13 designed vddos that way to remove /vddos/vddos.conf and nginx service isn't used according to failed to install vddos nginx on centos 7 · Issue #22 · duy13/vDDoS-Protection as duy13 created a separate testcookie implementation for Centmin Mod which i haven't tried yet

pamamolf · Apr 7, 2018

Wondering how is it possible to mask a script and users not be able to see what it does?

How they do that?

I thought at Linux all is visible....

eva2000 · Apr 8, 2018

pamamolf said: ↑

Wondering how is it possible to mask a script and users not be able to see what it does?

How they do that?

I thought at Linux all is visible....
Click to expand...

bash scripts can be masked, I do this for some of monitoring and analysis scripts I use for paid client work See if you can google-fu for the info

Oxide · Apr 8, 2018

CloudFlare is the best alternative, it's also free. Scurci or other services are rip-off versions of CloudFlare.

CloudFlare also has the biggest global network and cdn. Providers like scuri rent servers with other third parties like OVH.

eva2000 · Apr 8, 2018

eva2000 said: ↑

vddos nginx config check, it's missing /vddos/vddos.conf which is i assume the nginx.conf equivalent

from auditd logging somewhere in /usr/bin/vddos setup routine it unlink removed /vddos/vddos.conf for some reason ? but as all of the script is masked no one can inspect code to see what's going on !
Click to expand...

seems @duy13 designed vddos that way to remove /vddos/vddos.conf and nginx service isn't used according to failed to install vddos nginx on centos 7 · Issue #22 · duy13/vDDoS-Protection as duy13 created a separate testcookie implementation for Centmin Mod which i haven't tried yet

duy13/vCentminmod-DDoS

Install - Upgrade - Nginx - CentOS 7.x - Anti-DDoS Mitigate: Automatic deploy/config Testcookie module for Centminmod (vCentminmod-DDoS)

Oxide said: ↑

CloudFlare is the best alternative, it's also free. Scurci or other services are rip-off versions of CloudFlare.

CloudFlare also has the biggest global network and cdn. Providers like scuri rent servers with other third parties like OVH.
Click to expand...

yeah Sucuri isn't as fast as Cloudflare

robert syputa · Apr 8, 2018

Many VPS hosts provide DOS... or they advertise that they provide it. However, I don't know how to judge how well a VPS or other host DOS works.

robert syputa · Apr 8, 2018

The use of a broad-pipe service such as CloudFlare can find attacks that occur across a large number of IPs but offer no real advantage over CSF for site-specific or limited IP range attacks. CSF has DOS capability but it relies on hits on your IP/domain. It has distributed DOS as well, however, that requires more repetitive hits on the IP than a broad-pipe has the bandwidth to sniff out as it can see the same IPs hitting the multiple hosted IPs. Tight settings in CSF distributed DOS could cause dropping of legitimate visitors/subscribers.

eva2000 · Apr 8, 2018

robert syputa said: ↑

Tight settings in CSF distributed DOS could cause dropping of legitimate visitors/subscribers.
Click to expand...

Unfortunately very true as banning based up on IP address won't work 100% due to IP spoofing and shared IP usage.

pamamolf · Apr 8, 2018

bash scripts can be masked, I do this for some of monitoring and analysis scripts I use for paid client work
Click to expand...

Checking on Google i found only sch script but as i can see it is very easy to crack it and get the source code so didn't found anything good

robert syputa · Apr 8, 2018

Thus far I have not had a DOS or DDOS attack that Configserver firewall CSF didn't prevent. I have noticed what looked like DDOS attempt - a high volume of hits on a particular port or multiple ports from a block of IPs or originating from one country. But this wasn't a performance problem before the IPs were dropped/banned. The host VPS advertises DOS/DDOS but I can't see the log reports to see if its working. All I do now is occasionally review the logs to see if something unusual is happening.

rc112 · Apr 8, 2018

@eva2000 Thank you so much for your deep investigation on this. Look like the author has updated the ngxin and openssl. Besides, I think this is the best and almost free solution against DDOS. I can work with Cloudflare(free/paid). Cloudflare support unlimited bandwidth with layer 4 and vDDOS can handle Layer 7.

It also support layer 3/4 block with additional addon.

vDDoS Layer4 Mapping is a addon support for vDDoS Proxy Protection - Monitor processor logs and block it in Layer 3-4. This tool is product for those people ask me to add "BLOCK & CAPTCHA" on Layer 3-4 (Support Iptables CSF & CloudFlare API) for vDDoS Proxy Protection.
Click to expand...

duy13/vDDoS-Layer4-Mapping

Even thought I got 404 error after finish recaptcha verification and I havent got reply from the author yet.

Another useful tool: VDSTAT in his github which can help identify the attacker ip.

########### The server statistics table for SYSTEM ADMIN LINUX SERVER VO DUY DOT COM: ########### TIME:21H31-DATE:18-02-2017 ###########

CPU usage: ~0.00% RAM usage: ~3673MB IO usage: ~0MB/s READ
~2MB/s WRITE
The total number of QUERIES to port 80 is: 47 (By 17 IP Address request)
The total number of QUERIES to port 443 is: 0 (By 1 IP Address request)

Total number of ESTABLISHED connections is: | Network Bandwidth:
Port 80: 4 connections | Incoming: 140KB/s
Port 443: 0 connections | Outgoing: 709KB/s

IP Address request much:
50 112.8.43.10 www.voduy.com
23 5.188.211.10
6 123.21.66.90
4 127.0.0.1 localhost
3 113.181.151.7 localhost
2 123.30.175.204 bot34.coccoc.com
1 94.100.181.37 picker1.i.mail.ru
1 66.249.79.168 crawl-66-249-79-168.googlebot.com
1 66.249.79.160 crawl-66-249-79-160.googlebot.com
1 66.249.79.150 crawl-66-249-79-150.googlebot.com
1 66.249.79.124 crawl-66-249-79-124.googlebot.com
1 66.249.79.108 crawl-66-249-79-108.googlebot.com
1 46.229.168.74
1 46.229.168.70
1 46.229.168.69
1 40.77.167.29 msnbot-40-77-167-29.search.msn.com
1 222.254.217.10 static.vnpt.vn
1 216.169.110.193 216-169-110-193-cust-gw.reverse.ezzi.net
1 157.55.39.220 msnbot-157-55-39-220.search.msn.com
1 115.78.206.110 adsl.viettel.vn
1 113.190.224.249 static.vnpt-hanoi.com.vn

Thank you for using!
Click to expand...

eva2000 · Apr 8, 2018

rc112 said: ↑

Another useful tool: VDSTAT in his github which can help identify the attacker ip.
Click to expand...

Nice. It's should be relatively easy to whip up a script for Centmin Mod servers i.e. just wrote netstat-info.sh at netstat display info for centminmod.com. It properly accounts for servers with more than one network card too. Will update to add for network packets in/out too
Code (Text):
curl -sL https://gist.github.com/centminmod/73b730edaa13b636c87ae4b63cdafeea/raw/netstat-info.sh | bash

Network Bandwidth In/Out (KB/s):
eth0  In:  0.05  Out:  0.00
eth1  In:  0.00  Out:  0.00
eth2  In:  0.00  Out:  0.00

Network Packets   In/Out (pps):
eth0  In:  1.00  Out:  1.00
eth1  In:  0.00  Out:  0.00
eth2  In:  0.00  Out:  0.00

Total Connections For:
Port 80:   1
Port 443:  1

Unique IP Connections For:
Port 80:   0
Port 443:  0

Established Connections For:
Port 80:   0
Port 443:  0

TIME_WAIT Connections For:
Port 80:   0
Port 443:  0

Top IP Address Connections:
1  127.0.0.1        localhost

eva2000 · Apr 8, 2018

added my netstat-info code to existing centmin mod 123.09beta01 cminfo command https://community.centminmod.com/threads/update-cminfo-command-with-netstat-flag-option.14468/

robert syputa · Apr 10, 2018

I have read that many VPS service providers have put a DDOS shield in place because they find that this reduces the ticket requests from their clients and is relatively easy to provide on KVM, LXC etc. VPS. My personal experience has been that the VPS providers now provide this as a standard feature.

The thread is about Cloudflare and DOS/DDOS. However, the alternative is to use a VPS with DDOS combined with CSF and WP or another application-based firewall. I have not used CloudFlare for a few years but had found it to have problems and I like to have more control... or think that I have more control. 'If it ain't broke, don't fix it' - until I run into a DOS/DDOS problem that is not handled by the combination of the VPS host DDOS, CDN DDOS as used for specific classes of content, CSF with limited open ports, and wp and other applications firewalls I won't use Cloudflare.

Some blogs point out that use of a single approach, such as a generalized use of content delivery networks, can be problematic: 5 common misconceptions about DDoS protection | ITProPortal

This points out that a multi-layered approach is needed. CDN has the benefit of seeing a big pipe of traffic. However, that can cause its own problems of not being able to spot selective DDOS attacks. DDOS attacks can be either broadly targeted or selectively targeted. If selectively targeted, say at sites that have been spidered to determine the use of a specific app such as Wordpress, that may go undetected by CDN or other broad pipe protection scheme.

I suggest a combination of server-based/HOST DDOS, CSF or another server firewall, Clamav (see centminmod addons folder) then consider use of CDN that provides the best performance and app-specific firewalls and file monitoring.

eva2000 · Apr 10, 2018

Yeah having VPS or dedicated with native DDOS protection helps but remember not all DDOS mitigation solutions are created equal. I know that BuyVM.net's DDOS protection is one of the better ones for VPSes (my referral link ). BuyVM is very much unmanaged so expect no support other than for network or server hardware related issues.

BuyVM - DDoS Protection - make sure DDOS protected IP is not primary IP on BuyVM VPS server but the secondary IP as primary IP needs to be non-DDOS protected one. So in Centmin Mod 123.09beta01, you'll need to make use of SECOND_IP variable to set DDOS protected IP for SECOND_IP for default nginx vhost creation Upgrade - Nginx - Redis - Insight Guide - Adding Additional IP Addresses

gre_tunnel [Frantech/BuyVM Wiki] instructions are more geared to debian/ubuntu as opposed to centos. I am using BuyVM.net DDOS protection remotely via Gre Tunnel setup in combination with Sucuri for layer 7 via cloudproxy. If you're doing Gre tunneling I would test on test servers first until you get it right otherwise you could screw up your live production servers. Took me a few attempts to get it right on test VPS servers with Sucuri cloudproxy for layer 7 and any leaked IP attacks BuyVM DDOS protection should handle i.e. Xenforo HTTP Forward proxy for proxied images. BuyVM.net will not provide any support as they're unmanaged so need to figure it out yourself. BuyVM.net DDOS protection can also do layer 7 HTTP reverse proxy like Sucuri but it was much slower on the front end visiting site/forums then Sucuri cloudproxy. But most folks won't need to use Gre tunnels if their origin site is on BuyVM DDOS protected VPS. It's only needed if you want to use BuyVM DDOS Protected VPS IP to protect a remote server like hosted on Linode etc

Also beware of bug in BuyVM centos templates where you are unable to SSH into server after fresh OS install/reinstall due to networking service defaulting to off instead of on. See BuyVM.net - Benchmarks - BuyVM.net New KVM Plans on Intel Xeon E3-1270v3 Host Nodes!. Not sure if that has been fixed as I only have a few BuyVM VPSes running.

What is a GRE tunnel?
Much like a proxy, a GRE tunnel allows you to pass traffic from your BuyVM VPS including DDoS filtering to another remote destination.

GRE tunnels allow all traffic through, not just HTTP. With a GRE tunnel you can serve, and deliver any type of content from any type of server (audio, FTP, SSH, SCP, video, etc.).

What can your use a GRE tunnel for?
GRE tunneling is very handy when you want to use our DDoS filtering services to protect services that are too large to host with us (I.e. game servers, Java applications, large database driven applications, etc.).

Don't have root access for your destination server or are running a huge Windows deployment? Check out our alternative method to redirect traffic to your remote server.

Note: If you are tunneling to an OVH server, you most likely don't have GRE support in your kernel. You'll need to use a IPIP tunnel instead.
Click to expand...

Old BuyVM.net slices VPS review at BuyVM.net - Benchmarks - BuyVM.net New KVM Plans on Intel Xeon E3-1270v3 Host Nodes!. Unfortunately, it can get expensive if you want at least 2 cpu core KVM Slices VPS. 1/4 and 1/2 core Slices probably not enough cpu share time for any moderately busy server from my experience so at least 1 or 2 cpu cores really needed. So 8192MB Slice KVM VPS with 160GB SSD + DDOS protected IP would be 30 + 3 = US$33/month

robert syputa · Apr 10, 2018

Thanks Eva! Very useful information. I will put it into my toolbox.

Silv3er · Apr 10, 2018

I use Sucuri since 8 months, I am founder of a big forum and I was the target layer7 attack very often. Since I combined Cloudflare with Sucuri. My forum is no longer DDOS Layer 7.

I use Sucuri Website Firewall | WAF and Website Malware Protection The $9.99 plan is more than enough to block DDOS Layer 7!!

Sincerely

Log in / Register

Forums

Discover Centmin Mod today

Security Cloudflare Sysadmin DDOS protection?

rc112 Member

eva2000 Administrator Staff Member

rc112 Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

Oxide Active Member

eva2000 Administrator Staff Member

robert syputa Member

robert syputa Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

robert syputa Member

rc112 Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

robert syputa Member

eva2000 Administrator Staff Member

robert syputa Member

Silv3er New Member

.

Log in / Register

Useful Searches

Discover Centmin Mod today

Security Cloudflare Sysadmin DDOS protection?

rc112 Member

eva2000 Administrator Staff Member

rc112 Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

Oxide Active Member

eva2000 Administrator Staff Member

robert syputa Member

robert syputa Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

robert syputa Member

rc112 Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

robert syputa Member

eva2000 Administrator Staff Member

robert syputa Member

Silv3er New Member

.