Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx Nginx Simple Config to Combat Layer 7 DDOS Attack

Discussion in 'Nginx and PHP-FPM news & discussions' started by RoldanLT, Nov 16, 2016.

  1. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    Just add on /usr/local/nginx/conf/nginx.conf file bellow http{ context.
    Code:
    limit_conn_zone $binary_remote_addr zone=conperiplimit:16m;
    limit_conn conperiplimit 10;
    
    Works great on my Own Site. (y)
     
    • Informative Informative x 1
  2. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    I think it's still safe to lower the limit:
     
  3. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    9:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    just be careful and monitor your access and error logs. You can set this on a per nginx location match context too i.e. set it for search pages, online user displays, member lists etc. That's what I do :)

    Module ngx_http_limit_conn_module
     
    Last edited: Nov 16, 2016
    • Like Like x 1
  4. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    My only goal for this is to combat Layer 7 attacks without purchasing Sucuri :D.
    And it really works well without enabling I'm Under Attack Mode on Cloudflare.
     
    • Informative Informative x 1
  5. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    9:45 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah ip connection limits will help to certain degree though with a large enough layer 7 ddos attack, it can still overwhelm your server. Which is why DDOS mitigation providers like Sucuri, Incapsula, Cloudflare etc work as they have large network capacity. i.e. Cloudflare is at 10Tbps capacity now with their 101st datacenter launched Arribem a Barcelona! Cloudflare’s 101st data center !
     
  6. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    1:45 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Checking a few days ago using https the connections/requests limit and was not working as expected....

    When i was load the main index page of the forum not all icons in front of each category load :(

    I thought as i have done many times with no issues that my numbers was small so just for a test i increase connections to 20 and requests to 200 with the same result :(

    It was the first time that this setting cause me an issue and it wasthe first time that i had use Let's encrypt on that server ....

    So maybe is related to https?
     
  7. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    Yeah https with HTTP2 enabled will cause more request/connection at a time.

    But this approach of mine does limit connection per IP only not request per IP.
    They are different.
     
  8. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    1:45 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    But more than 20 and 200 ?

    I thought that htt2 was able to get more content with fewer connections....
     
  9. eva2000

    eva2000 Administrator Staff Member

    30,956
    6,917
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,418
    Local Time:
    9:45 AM
    Nginx 1.13.x
    MariaDB 5.5
  10. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    1:45 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Checking the above info then there is an issue for limiting connections and requests as 20 connections and 200 requests that i set are huge values and it didn't work :(
     
  11. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    Maybe you are behind cloudflare and you do not resolve the correct visitor IP (using realip module) of the user that's why you always hit the limit.
     
  12. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    1:45 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I do not use on that server Cloudflare at all....
     
  13. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    • Informative Informative x 1
  14. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    6:45 AM
    i'm searching for a way to fight botnet and malicious ips
    beside csf, cloudflare , find this but i have not tested yet

    vDDoS, a HTTP(S) DDoS Protection
    website vDDoS Proxy Protection

    [​IMG]
    feature for security
    variable: no, 307, 200, click, 5s, high, captcha
    Sets a valid for Security Level Protection. Note: no < 307 < 200 < click < 5s < high < captcha

    [​IMG]
    system requirement
     
    • Informative Informative x 2
  15. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    6:45 AM
    Last edited: Dec 22, 2016
  16. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    1:45 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    From my experience if you are under a Ddos attack you will not be able to ssh on the server at all..... :(

    So you have to block everything before your server....
     
  17. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    That is Layer 3/4 attack.
     
  18. pamamolf

    pamamolf Well-Known Member

    2,821
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    1:45 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Didn't notice that was specific for layer 7 :)

    Yup you are right i was talking about layer 3/4 attacks.....
     
  19. narji

    narji Member

    69
    6
    8
    Feb 4, 2016
    Ratings:
    +12
    Local Time:
    6:45 AM
    the other way to reduce attack to all port
    just testing iptables drop from javapipe iptable ddos protection
    might need adjustment

    first create csfpre.sh
    Code:
    $ nano -w /usr/local/csf/bin/csfpre.sh
    insert this line
    
    ### 1: Drop invalid packets ###
    /sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
    
    ### 2: Drop TCP packets that are new and are not SYN ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
    
    ### 3: Drop SYN packets with suspicious MSS value ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
    
    ### 4: Block packets with bogus TCP flags ###
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
    /sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    
    ### 5: Block spoofed packets ###
    #/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP
    #/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
    
    ### 6: Drop ICMP (you usually don't need this protocol) ###
    #/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP
    
    ### 7: Drop fragments in all chains ###
    #/sbin/iptables -t mangle -A PREROUTING -f -j DROP
    
    ### 8: Limit connections per source IP ###
    #/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset
    
    ### 9: Limit RST packets ###
    /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP
    
    ### 10: Limit new TCP connections per second per source IP ###
    /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
    
    ### 11: Use SYNPROXY on all ports (disables connection limiting rule) ###
    #/sbin/iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
    #/sbin/iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
    #/sbin/iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
    
    ### SSH brute-force protection ###
    #/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
    #/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
    
    ### Protection against port scanning ###
    /sbin/iptables -N port-scanning
    /sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
    /sbin/iptables -A port-scanning -j DROP
    
    ###save before quit
    
    $ chmod +x /usr/local/csf/bin/csfpre.sh
    $ csf -r | more
    or reboot
    
    so far no trouble with kvm vps or csf and centminmod nginx stack

    website
    CSF *Port Scan* detected - shared hosting
    https://download.configserver.com/csf/readme.txt
    How to Add Custom iptables Rules with CSF - TecAdmin.net
    DDoS Protection With IPtables: The Ultimate Guide
     
    • Informative Informative x 2
  20. RoldanLT

    RoldanLT Well-Known Member

    3,978
    965
    113
    May 25, 2014
    Phillipines
    Ratings:
    +1,329
    Local Time:
    7:45 AM
    1.11
    10.2
    Test Mode :)
    upload_2016-12-24_3-1-44.png