Learn about Centmin Mod LEMP Stack today
Register Now

CSF How to drop all packets for IPs that aren't Cloudflare

Discussion in 'Other Centmin Mod Installed software' started by BamaStangGuy, Mar 19, 2019.

  1. BamaStangGuy

    BamaStangGuy Active Member

    554
    169
    43
    May 25, 2014
    Ratings:
    +226
    Local Time:
    3:31 AM
    I have a client that is getting hit hard by DDOS and is behind CloudFlare. Argo would be too expensive. What I basically need to do is drop all packets that aren't coming from Cloudflare. I also need to whitelist an IP that will be used to ssh into the server.

    How is the best way to do this with CentminMod?
     
  2. eva2000

    eva2000 Administrator Staff Member

    39,742
    8,765
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,486
    Local Time:
    6:31 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Centmin Mod's CSF Firewall is just a wrapper to iptables so you can still use iptables rules if you know how CSF Firewall works by placing iptables rules in custom setup /etc/csf/csfpre.sh script with executable permissions which runs those iptables rules before CSF Firewall loads it's rules.

    The instructions at How do I whitelist Cloudflare's IP addresses in iptables? are to whitelist cloudflare ips, which already done if you setup csfcf.sh script Beta Branch - csfcf.sh - automate Cloudflare Nginx & CSF Firewall setups in which case /etc/csf/csfpre.sh isn't required.

    Then all you need to do is remove port 80, 443 and 2408 if using railgun any any other ports you don't want non-cloudflare requests to connect to from /etc/csf/csf.conf TCP_IN and TCP6_IN comma separated list of whitelisted ports and then restart CSF Firewall
    Code (Text):
    csf -ra

    As to whitelisting IP, same as well as as per CSF Firewall commands outlined at CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS
     
    • Like Like x 1
  3. BamaStangGuy

    BamaStangGuy Active Member

    554
    169
    43
    May 25, 2014
    Ratings:
    +226
    Local Time:
    3:31 AM
    I have done this but it appears the server is still being taken down with an attack the size of 50-60 Mbps. ReliableSite is being less than helpful. I have removed every single inbound port for TCP and UDP as well as for the IPV6 settings. Anything else I am missing?
     
  4. eva2000

    eva2000 Administrator Staff Member

    39,742
    8,765
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,486
    Local Time:
    6:31 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    You'd need to figure out where the attack is coming from inbound wise. Or is it being passed through Cloudflare itself as a layer 7 attack ?
     
  5. BamaStangGuy

    BamaStangGuy Active Member

    554
    169
    43
    May 25, 2014
    Ratings:
    +226
    Local Time:
    3:31 AM
    From the looks of iptraf-ng Port 443 is getting hit the hardest but a lot of other ports are showing smaller use. How would it be passed through Cloudflare itself? We have Under Attack Mode on.
     
  6. eva2000

    eva2000 Administrator Staff Member

    39,742
    8,765
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,486
    Local Time:
    6:31 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    there's probably ways to bypass it so it looks like it could be a layer 7 application level attack so something you'd need to look into more deeply assuming CSF Firewall and Cloudflare level are properly configured already.
     
  7. BamaStangGuy

    BamaStangGuy Active Member

    554
    169
    43
    May 25, 2014
    Ratings:
    +226
    Local Time:
    3:31 AM
    Something isn't right. Not only can I not figure this out but neither can ReliableSite's datacenter workers. All we are trying to do is drop all packets that are not from CloudFlare and two other whitelisted IP addresses. We have been unable to accomplish this. If we try to use IPTables directly it brings the entire server down and inaccessible.

    We have even tried blocking every single country via CSF without our whitelists. Still the DDoS gets through on all ports.
     
  8. eva2000

    eva2000 Administrator Staff Member

    39,742
    8,765
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,486
    Local Time:
    6:31 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Tried simple test of blocking your own IP or a known own VPN IP in CSF Firewall and trying direct server access to confirm if CSF Firewall /iptables is working properly ?
     
  9. BamaStangGuy

    BamaStangGuy Active Member

    554
    169
    43
    May 25, 2014
    Ratings:
    +226
    Local Time:
    3:31 AM
    Blocking one ip works just fine. Blocking everything but Cloudflare and two other ips is not.
     
  10. Matt

    Matt Moderator Staff Member

    819
    360
    63
    May 25, 2014
    Rotherham, UK
    Ratings:
    +549
    Local Time:
    9:31 AM
    1.5.15
    MariaDB 10.2
    • Informative Informative x 2
  11. eva2000

    eva2000 Administrator Staff Member

    39,742
    8,765
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,486
    Local Time:
    6:31 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Indeed Cloudflare is only a first layer defense, you still need the origins to be capable and have some mitigations setup. Though @BamaStangGuy did say they had deployed 'I am under attack mode' - so in his case it was leaked origin IP that bypassed Cloudflare protections I believe. Which again means origin server still needs it's own protection in place i.e. rate limiting etc.
     
  12. rdan

    rdan Well-Known Member

    4,523
    1,084
    113
    May 25, 2014
    Ratings:
    +1,582
    Local Time:
    4:31 PM
    Mainline
    10.2
    Implement limit_conn on Nginx Server (server block or php location).
    This will end most of Layer 7 attack.

    Even without Cloudflare (with ct_limit of CSF).
     
    • Like Like x 1
..