There are a lot of things you can do to tighten the doors against undesirable behavior and iptables, the linux firewall system included with all modern distributions is a great starting point.
iptables has rate limiting capability for tcp and udp using the -limit and -limit-burst parameters. Syn-flood protection: # iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT Furtive port scanner: # iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT Ping of death: # iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT You can also use iptables to fully deny services to any ip address, subnet, or even entire countries if you wish. A great resource for country assignments for ip4 would be http://www.ipdeny.com/ipblocks/ For example, lets say your server experiences a lot of bad behavior from ip addresses assigned to Andorra. You would download the associated zone file from ipdeny.com (http://www.ipdeny.com/ipblocks/data/countries/ad.zone) and you'd find four subnets listed in that file: 85.94.160.0/19 91.187.64.0/19 109.111.96.0/19 194.158.64.0/19 You'd simply want to deny them access. I cobbled together a mess of scripts which download all of the zonefiles from ipdeny each morning around 3am, plus a list of "dead zones" from spamhaus, and puts together a list of subnets to be blocked based on another file containing a list of country codes. CH = China, RU = Russia, etc. This way, if the IP assignments to a particular country are changed, added or deleted, my script will follow suit and make adjustments as well - daily. You can also do the reverse - use iptables to allow certain countries through, and block everything else. Which you choose depends on which list is bigger, as the bigger the list the more work iptables has to do. If you want something more robust than iptables, then you're looking at traffic shaping software which will offer you far more flexibility, though with a penalty against the processor, memory, and the overall speed of the game server. Depending on your hardware and how your linux is tweaked to your particular hardware, this may or may not be an issue. If you host your own equipment on your own subnet as I do, you can reduce hacking attempts by not giving out your server IP address to forums, friends, and what not. Instead, you give out a DNS name, such as dod.mydomain.com. Then, every so often, change the IP address of the game server to one of your other IP addresses, and change it's DNS entry as well. Most script-kiddie type attempts tend to focus on IP address, so changing things around every so often leaves them without a clue. If you want to make this easy for you, assign your servers a DHCP address that's statically listed in your DHCP server, but also tied to your DNS server. This way you only have to change the IP address of the server in your DHCP server and restart the network services on that server (or reboot it entirely), and your DNS server will be updated as well once it boots. It's a bit of a pain in the butt to set up, but once you get it working right it makes life easy. This is useful if you do your own hosting with your own equipment and not hosting your stuff somewhere else with shared or dedicated hosting or colo. You need control of the DNS and DHCP server functions to make this work. I personally believe logging and scrutinizing the logs and blocking offending ips, segments and countries to be the least amount of work. Then again, I'm not particularly chasing gamers or business people from other countries, and that's just a preference/decision I've made. Hope some of that helped. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Sunday, May 09, 2010 5:03 PM To: [email protected] Subject: [hlds_linux] Protect L4D2 servers My Left4Dead2 servers were recently attecked. The attacker caused a server to lag and crash. Are there any methods to protect my servers from such attacks? thanks! _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
