On Tue, 2006-03-28 at 15:51 -0500, Reza - Asterisk Enthusiast wrote: > Ok... some people have absolutely no respect for other people's hard > work - not knowing that they are hurting a small time business owner > versus corporations. Having said that, even attacking large > corporations with DDoS is equally sick because in many cases > shareholders themselves are hardworking people - who invested their > life savings. > > I don't see a difference between a criminal trying to break open the > locked door of a family owned convenience store vs. trying to break > into a individually owned server. > > So... why do I post this message here? Last evening I received > EXACTLY 63510 attempts to login into my Asterisk server at my colo. > My server is taking a GOOD BEATING - and the only thing that is > happening is my logs are getting populated at a rate of 10 megs per > day and bandwidth increasing. > > I know a number of software based firewalls for Linux, but is there > any software application out there, that utilizes relatively low CPU > resources, to prevent or slow down DDoS - that any of you have > ACTUALLY implemented? I have a Fortigate firewall solution on > another server, but those toys are expensive. I'm not ready to pitch > in another large sum of money for this... but at the end if I have > to... I have to. > > The quick fix is to allow SSH ONLY from my range of IP's - but that is > only a Band-Aid solution. What is disturbing though is that these > "people with no respect", are targeting my Asterisk Server. This is > why it's bugging me! > > Your thoughts and inputs on what measures you take to protect your > servers from DDoS is greatly appreciated... specially those of you > who are running Asterisk for business purposes!
The system that the attack is coming from is likely a compromised system
and the owner/administrator is probably unaware that it is happening, so
I don't recommend that you take strong action against the person.
Iptables is the elegant, but complex way of limiting connections. Newer
versions of the kernel have an ipt_recent module that allows you to
detect and temporarily (or permanently) shutdown offending IP addresses
based on how many times in a given duration that a connection has been
made. This is one way to solve the problem and I recommend it if you are
interested in learning firewalling.
However, it can be somewhat complex and if you want to avoid the
complexity you could simple move your SSH port. Edit
your /etc/ssh/sshd_config file and change "Port 22" to something like
"Port 62200" or your street address, whatever, just stay away from ports
listed in /etc/services. Then to SSH in use the -p option of ssh (or
putty if you're stuck with Windows) to connect using the alternate port
number.
I don't recommend blocking their address manually. Although it will stop
the attack initially, you will eventually be attacked from another IP
address. It's not uncommon to be hit from more than one Ip
simultaneously.
--
John Van Ostrand
Net Direct Inc.
Director of Technology
564 Weber St. N. Unit 12
Waterloo, ON N2L 5C6
map
[EMAIL PROTECTED]
Ph: 519-883-1172
ext.5102
Linux Solutions / IBM
Hardware
Fx: 519-883-8533
signature.asc
Description: This is a digitally signed message part
