Reza,
To expand on John's reply, a few ways that I have used to prevent DOS
attacks include:
1. throttling using iptables (using the limit feature of iptables):
i.e. to slow syn attacks:
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
2. using port-scan detectors like:
psad - The Port Scan Attack Detector
portsentry - Portscan detection daemon
3. discretionary access control, i.e. only allow connections to ports by
authorized hosts. This is the simplest solution for PBX systems, as
connections to a PBX are rarely ad-hoc, unless using ENUM.
Ian
John Van Ostrand wrote:
On Tue, 2006-03-28 at 15:51 -0500, Reza - Asterisk Enthusiast wrote:
Ok... some people have absolutely no respect for other people's hard
work - not knowing that they are hurting a small time business owner
versus corporations. Having said that, even attacking large
corporations with DDoS is equally sick because in many cases
shareholders themselves are hardworking people - who invested their
life savings.
I don't see a difference between a criminal trying to break open the
locked door of a family owned convenience store vs. trying to break
into a individually owned server.
So... why do I post this message here? Last evening I received
EXACTLY 63510 attempts to login into my Asterisk server at my colo.
My server is taking a GOOD BEATING - and the only thing that is
happening is my logs are getting populated at a rate of 10 megs per
day and bandwidth increasing.
I know a number of software based firewalls for Linux, but is there
any software application out there, that utilizes relatively low CPU
resources, to prevent or slow down DDoS - that any of you have
ACTUALLY implemented? I have a Fortigate firewall solution on
another server, but those toys are expensive. I'm not ready to pitch
in another large sum of money for this... but at the end if I have
to... I have to.
The quick fix is to allow SSH ONLY from my range of IP's - but that
is only a Band-Aid solution. What is disturbing though is that
these "people with no respect", are targeting my Asterisk Server.
This is why it's bugging me!
Your thoughts and inputs on what measures you take to protect your
servers from DDoS is greatly appreciated... specially those of you
who are running Asterisk for business purposes!
The system that the attack is coming from is likely a compromised
system and the owner/administrator is probably unaware that it is
happening, so I don't recommend that you take strong action against
the person.
Iptables is the elegant, but complex way of limiting connections.
Newer versions of the kernel have an ipt_recent module that allows you
to detect and temporarily (or permanently) shutdown offending IP
addresses based on how many times in a given duration that a
connection has been made. This is one way to solve the problem and I
recommend it if you are interested in learning firewalling.
However, it can be somewhat complex and if you want to avoid the
complexity you could simple move your SSH port. Edit your
/etc/ssh/sshd_config file and change "Port 22" to something like "Port
62200" or your street address, whatever, just stay away from ports
listed in /etc/services. Then to SSH in use the -p option of ssh (or
putty if you're stuck with Windows) to connect using the alternate
port number.
I don't recommend blocking their address manually. Although it will
stop the attack initially, you will eventually be attacked from
another IP address. It's not uncommon to be hit from more than one Ip
simultaneously.
--
*John Van Ostrand* *Net Direct Inc.*
/Director of Technology/ 564 Weber St. N. Unit 12
Waterloo, ON N2L 5C6 map
<http://maps.google.ca/maps?q=Net+Direct+Inc.,+564+Weber+St.+N.+Unit+12,+Waterloo,+ON+N2L+5C6,+canada&ll=43.494599,-80.548222&spn=0.038450,0.073956&iwloc=A&hl=en>
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Ph: 519-883-1172
ext.5102
Linux Solutions / IBM Hardware <http://www.netdirect.ca> Fx:
519-883-8533
--
Ian Howard
Director/Technical Lead
Adaptic - http://adaptic.ca
Adapted Information and Communications
[EMAIL PROTECTED]
extension 1 at the following numbers:
Toronto: +1 647 722 5629
Washington: +1 202 292 4242
Western Ontario: +1 519 488 1324
FWD: 709087
FAX: +1 866 304 6553
