[CentOS-es] Como evito ataque DDoS a servidor DNS por iptables

[Elio Bastias, Project Managers]

Buenos Días,
Ignacio,
Hay muchas formas para poder evitarlos:
1) Una es colocar un router con algún IDS, tipo Snort, ú  otro para que la
carga se haga en el router y no en el servidor DNS.-
2) Podes utilizar fail2ban, en otro hilo estamos discutiendo algo similar,
te pego una de las posibles config que se puede hacer, esto es de uno de
los foristas, para que te orientes:

había un problema similar con unos de mi vps, al revisar los logs full
ataques,
pero con pocas cosas los detuve, te explico a ver que te sirve:

1.- SSH: Cambie el puerto por Defecto.

2.- Definir Buenas Reglas Iptables y Shorewall (Administrar una Lista Negra
de Ips de Ataques).

3.- Fail2ban: (Luego de Investigar mucho logre esta configuración):

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will
not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = tu ip.

# "bantime" is the number of seconds that a host is banned.
bantime  = 36000

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#              If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#              If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external
libraries.
# auto:      will try to use the following backends, in order:
#              pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
#   warn when reverse DNS lookups are performed, or ignore all hostnames in
logs
#
# yes:   if a hostname is encountered, a reverse DNS lookup will be
performed.
# warn:  if a hostname is encountered, a reverse DNS lookup will be
performed,
#        but it will be logged as a warning.
# no:    if a hostname is encountered, will not be used for banning,
#        but it will be logged as info.
usedns = warn


# This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=tu email]
logpath  = /var/log/secure

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=tu email]
logpath  = /var/log/proftpd/access.log
maxretry = 5

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = true
filter   = sasl
backend  = polling
action   = iptables[name=sasl, port=smtp, protocol=tcp]
           sendmail-whois[name=sasl, dest=tu email]
logpath  = /var/log/maillog
maxretry = 3

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".


[ssh-tcpwrapper]

enabled     = true
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=tu email]
ignoreregex = for myuser from
logpath     = /var/log/secure

# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = true
filter   = apache-auth
action   = hostsdeny
logpath  = /home/*/logs/*error.log
           /home/*/logs/error.log
maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.

[postfix-tcpwrapper]

enabled  = true
filter   = postfix
action   = iptables-multiport[name=postfix, port="110,995,143,993,25",
protocol=tcp]
           sendmail-buffered[name=BadBots, lines=5, dest=tu email]
logpath  = /var/log/maillog
maxretry = 3

# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.

[dovecot]

enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993,25",
protocol=tcp]
         sendmail-whois[name=Fail2Dovecot, lines=5, dest=tu email]
logpath = /var/log/dovecot.log
maxretry = 3

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=tu email]
logpath  = /home/*/logs/access.log
bantime  = 172800
maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = true
filter   = apache-noscript
action   = shorewall
           sendmail[name=Postfix, dest=tu email]
logpath  = /home/*/logs/error.log

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois"
defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = true
filter   = named-refused
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
           sendmail-whois[name=Named, dest=tu email]
logpath  = /var/log/messages
ignoreip = tu ip

# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
#   Make sure that your loglevel specified in fail2ban.conf/.local
#   is not at DEBUG level -- which might then cause fail2ban to fall into
#   an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled  = true
filter   = recidive
logpath  = /var/log/fail2ban.log
action   = iptables-allports[name=recidive]
           sendmail-whois-lines[name=recidive,
logpath=/var/log/fail2ban.log]
bantime  = 604800  ; 1 week
findtime = 86400   ; 1 day
maxretry = 5

Estas son algunas opciones que puedes configurar en tu fail2ban, si buscas
en google con tus logs que ya tienes puedes probar cada una de ellas, te
recomiendo que crees tu propio archivo jail.local en vez de jail.conf, asi
cada vez que actualices tendrás tus reglas guardadas sin problemas, todo es
cuestión de paciencia y sobre todo de analizar tus logs para detectar los
ataques que recibes, claro habrán otros que no veras como escaneos,

Saludos


El 3 de octubre de 2013 10:22, Ignacio Ordeñana <ifor1982 en gmail.com>escribió:

> hola me gustaria saber como evitar ataque DDoS a mi servidor dns por medio
> de iptables e inclusive como volver mas seguros el servidor dns para evitar
> estos tipo de ataques
>
> saludos
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>



-- 
Elio Bastias
Project Manager