watch your logs

with this command, you can watch all logs at the same time, which should work for small servers with 10-30x websites (with more it probably get’s a little too much output)

analyze the malicious traffic

you can use tcpdump or better tshark (comes with wireshark) to further analyze the traffic and from what IP it is caused.

about netfilter-team, iptables -> nftables.

„downgrade“ to iptables

if iptables is not working well… nftables might be the reason, there are good reasons for nftables like performance when facing DDoS, but some tools are not compatible with it (yet).

if fail2ban fails to ban:

CentOS7 replaced firewall iptables with firewalld – iptables vs nftables benchmark performance comparison, scalability when facing DDoS scenarios

RedHat has developed nftables and it ships with the kernel since 3.13.

„funny“ and confusing is, that there is still a iptables command for backward compatibility, but this RedHat backward compatibility „fake“ iptables does not work well with fail2ban.

# stop, disable and prevent firewalld from starting
systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld

# install, start iptables
yum install iptables-services

systemctl start iptables

# there does not seem to be such a thing as "iptables6" in CentOS7
# so this will fail
systemctl start iptables6
systemctl enable iptables

systemctl status iptables

# now you can run your first iptables command
iptables -nvL

# all rules you add now will be lost after reboot
# unless you save em now
service iptables save

example config script:

you can quickly scan your server for open / ports in use:

apt install nmap
yum install nmap
nmap localhost

you might scan this script before using it,

1. remove the ports you are not using

2. add the ports you need

you might want to run THE script line

# this is a list of ips, subnets you want to block
cat /scripts/firewall_blacklist.txt

# this is THE script
cat /scripts/ 
# iptables firewall script

echo "===== put all ips you want to backlist in: /scripts/firewall_blacklist.txt =====";


echo " currently blacklisted: "
cat /scripts/firewall_blacklist.txt

# echo "===== what ports are in use? ====="
# nmap localhost
# 22/tcp   open  ssh
# 25/tcp   open  smtp
# 80/tcp   open  http
# 143/tcp  open  imap
# 443/tcp  open  https
# 465/tcp  open  smtps
# 587/tcp  open  submission
# 993/tcp  open  imaps
# 2222/tcp open  EtherNet/IP-1
# 2525/tcp open  ms-v-worlds
# 9001/tcp open  tor-orport

echo "===== enabling ipv4 forwarding (makes server act as switch) ====="
echo 1 > /proc/sys/net/ipv4/ip_forward

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies"

echo " * allowing loopback devices"

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#echo " * BLACKLIST"

echo " * allowing ssh on port 22"
${IPTABLES} -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

echo " * allowing ssh on port 2222"
${IPTABLES} -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT

echo " * allowing vestacp on port 9093"
${IPTABLES} -A INPUT -p tcp --dport 9093 -m state --state NEW -j ACCEPT

# echo " * allowing dns on port 53 udp"
# ${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

# echo " * allowing dns on port 53 tcp"
# ${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

# will not use these rules, will use the anti-DDoS rules further down
# echo " * allowing http on port 80"
# ${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

# echo " * allowing https on port 443"
# ${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing smtp on port 25"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

echo " * allowing smtps 465"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT

echo " * allowing submission on port 587"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT

echo " * allowing imaps on port 993"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

echo " * allowing smtps on port 2525"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 2525 -j ACCEPT

echo " * allowing tor port 9001"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT

# echo " * allowing pop3s on port 995"
# ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

# echo " * allowing imap on port 143"
# ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT

# echo " * allowing pop3 on port 110"
# ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

echo "===== basic DDoS protection of port 80/443 ====="
echo "===== loading module ipt_recent, Xtables: recently-seen host matching ====="
# ip_list_tot:number of IPs to remember per list (uint)
modprobe ipt_recent ip_list_tot=10000

echo "===== loading module xt_limit, Xtables: rate-limit match ====="
modprobe xt_limit

# ${IPTABLES} -A INPUT -p tcp -m multiport --dports 80,443 -m recent --update --seconds 3600 --name BANNED --rsource -j DROP
# ${IPTABLES} -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ATTK_CHECK

# ${IPTABLES} -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7
# ${IPTABLES} -A ATTACKED -m recent --set --name BANNED --rsource -j DROP
# ${IPTABLES} -A ATTK_CHECK -m recent --set --name ATTK –-rsource
# ${IPTABLES} -A ATTK_CHECK -m recent --update --seconds 600 --hitcount 150 --name ATTK --rsource -j ATTACKED
# ${IPTABLES} -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 50 --name ATTK --rsource -j ATTACKED

${IPTABLES} -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 80 -j DROP

${IPTABLES} -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 443 -j DROP

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# echo " while Block ICMP attacks"
# ${IPTABLES} -p icmp -m u32 ! --u32 "4&0x3FFF=0"   -j DROP
# ${IPTABLES} -p icmp -m length --length 1492:65535 -j DROP

# DROP everything else and Log it

# Block abusing IPs 
# from ${BLACKLIST}
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " * BLOCKING ABUSIVE IPs"
    while read IP; do
        ${IPTABLES} -I INPUT -s "${IP}" -j DROP
    done < <(cat "${BLACKLIST}") fi # iptables: Saving firewall rules to /etc/sysconfig/iptables iptables-save > /root/iptables.txt;service iptables save

Links and Books:

Why you will love nftables from linux

iptables: How to use the limits module