[CentOS-es] Como evito ataque DDoS a servidor DNS por iptables

Rodrigo Pichiñual Norin rodrigo.pichinual en gmail.com
Jue Oct 3 14:00:28 UTC 2013


Elio,

me puedes explicar este trozo de codigo y para que sirve?

[apache-badbots]

enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
           sendmail-buffered[name=BadBots, lines=5, dest=tu email]
logpath  = /home/*/logs/access.log
bantime  = 172800
maxretry = 1



esta habilidato apache-badbots (enabled = true)
utiliza el filtro apache-badbots ubicado en el directorio filter.d
action = ?
logpath= donde busca los log para actuar
bantime = ? ( se que es timepo de banneo)
maxretry = ? ( un solo intentoooo???? )


gracias


2013/10/3 Elio Bastias, Project Managers <elio.bastias en gmail.com>

> Buenos Días,
> Ignacio,
> Hay muchas formas para poder evitarlos:
> 1) Una es colocar un router con algún IDS, tipo Snort, ú  otro para que la
> carga se haga en el router y no en el servidor DNS.-
> 2) Podes utilizar fail2ban, en otro hilo estamos discutiendo algo similar,
> te pego una de las posibles config que se puede hacer, esto es de uno de
> los foristas, para que te orientes:
>
> había un problema similar con unos de mi vps, al revisar los logs full
> ataques,
> pero con pocas cosas los detuve, te explico a ver que te sirve:
>
> 1.- SSH: Cambie el puerto por Defecto.
>
> 2.- Definir Buenas Reglas Iptables y Shorewall (Administrar una Lista Negra
> de Ips de Ataques).
>
> 3.- Fail2ban: (Luego de Investigar mucho logre esta configuración):
>
> [DEFAULT]
>
> # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will
> not
> # ban a host which matches an address in this list. Several addresses can
> be
> # defined using space separator.
> ignoreip = tu ip.
>
> # "bantime" is the number of seconds that a host is banned.
> bantime  = 36000
>
> # A host is banned if it has generated "maxretry" during the last
> "findtime"
> # seconds.
> findtime  = 600
>
> # "maxretry" is the number of failures before a host get banned.
> maxretry = 3
>
> # "backend" specifies the backend used to get files modification.
> # Available options are "pyinotify", "gamin", "polling" and "auto".
> # This option can be overridden in each jail as well.
> #
> # pyinotify: requires pyinotify (a file alteration monitor) to be
> installed.
> #              If pyinotify is not installed, Fail2ban will use auto.
> # gamin:     requires Gamin (a file alteration monitor) to be installed.
> #              If Gamin is not installed, Fail2ban will use auto.
> # polling:   uses a polling algorithm which does not require external
> libraries.
> # auto:      will try to use the following backends, in order:
> #              pyinotify, gamin, polling.
> backend = auto
>
> # "usedns" specifies if jails should trust hostnames in logs,
> #   warn when reverse DNS lookups are performed, or ignore all hostnames in
> logs
> #
> # yes:   if a hostname is encountered, a reverse DNS lookup will be
> performed.
> # warn:  if a hostname is encountered, a reverse DNS lookup will be
> performed,
> #        but it will be logged as a warning.
> # no:    if a hostname is encountered, will not be used for banning,
> #        but it will be logged as info.
> usedns = warn
>
>
> # This jail corresponds to the standard configuration in Fail2ban 0.6.
> # The mail-whois action send a notification e-mail with a whois request
> # in the body.
>
> [ssh-iptables]
>
> enabled  = true
> filter   = sshd
> action   = iptables[name=SSH, port=ssh, protocol=tcp]
>            sendmail-whois[name=SSH, dest=root, sender=tu email]
> logpath  = /var/log/secure
>
> [proftpd-iptables]
>
> enabled  = true
> filter   = proftpd
> action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
>            sendmail-whois[name=ProFTPD, dest=tu email]
> logpath  = /var/log/proftpd/access.log
> maxretry = 5
>
> # This jail forces the backend to "polling".
>
> [sasl-iptables]
>
> enabled  = true
> filter   = sasl
> backend  = polling
> action   = iptables[name=sasl, port=smtp, protocol=tcp]
>            sendmail-whois[name=sasl, dest=tu email]
> logpath  = /var/log/maillog
> maxretry = 3
>
> # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
> # used to avoid banning the user "myuser".
>
>
> [ssh-tcpwrapper]
>
> enabled     = true
> filter      = sshd
> action      = hostsdeny
>               sendmail-whois[name=SSH, dest=tu email]
> ignoreregex = for myuser from
> logpath     = /var/log/secure
>
> # This jail demonstrates the use of wildcards in "logpath".
> # Moreover, it is possible to give other files on a new line.
>
> [apache-tcpwrapper]
>
> enabled  = true
> filter   = apache-auth
> action   = hostsdeny
> logpath  = /home/*/logs/*error.log
>            /home/*/logs/error.log
> maxretry = 6
>
> # The hosts.deny path can be defined with the "file" argument if it is
> # not in /etc.
>
> [postfix-tcpwrapper]
>
> enabled  = true
> filter   = postfix
> action   = iptables-multiport[name=postfix, port="110,995,143,993,25",
> protocol=tcp]
>            sendmail-buffered[name=BadBots, lines=5, dest=tu email]
> logpath  = /var/log/maillog
> maxretry = 3
>
> # Ban hosts which agent identifies spammer robots crawling the web
> # for email addresses. The mail outputs are buffered.
>
> [dovecot]
>
> enabled = true
> filter = dovecot
> action = iptables-multiport[name=Dovecot, port="110,995,143,993,25",
> protocol=tcp]
>          sendmail-whois[name=Fail2Dovecot, lines=5, dest=tu email]
> logpath = /var/log/dovecot.log
> maxretry = 3
>
> [apache-badbots]
>
> enabled  = true
> filter   = apache-badbots
> action   = iptables-multiport[name=BadBots, port="http,https"]
>            sendmail-buffered[name=BadBots, lines=5, dest=tu email]
> logpath  = /home/*/logs/access.log
> bantime  = 172800
> maxretry = 1
>
> # Use shorewall instead of iptables.
>
> [apache-shorewall]
>
> enabled  = true
> filter   = apache-noscript
> action   = shorewall
>            sendmail[name=Postfix, dest=tu email]
> logpath  = /home/*/logs/error.log
>
> # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
> # option is overridden in this jail. Moreover, the action "mail-whois"
> defines
> # the variable "name" which contains a comma using "". The characters ''
> are
> # valid too.
>
> # This jail blocks TCP traffic for DNS requests.
>
> [named-refused-tcp]
>
> enabled  = true
> filter   = named-refused
> action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
>            sendmail-whois[name=Named, dest=tu email]
> logpath  = /var/log/messages
> ignoreip = tu ip
>
> # Jail for more extended banning of persistent abusers
> # !!! WARNING !!!
> #   Make sure that your loglevel specified in fail2ban.conf/.local
> #   is not at DEBUG level -- which might then cause fail2ban to fall into
> #   an infinite loop constantly feeding itself with non-informative lines
> [recidive]
>
> enabled  = true
> filter   = recidive
> logpath  = /var/log/fail2ban.log
> action   = iptables-allports[name=recidive]
>            sendmail-whois-lines[name=recidive,
> logpath=/var/log/fail2ban.log]
> bantime  = 604800  ; 1 week
> findtime = 86400   ; 1 day
> maxretry = 5
>
> Estas son algunas opciones que puedes configurar en tu fail2ban, si buscas
> en google con tus logs que ya tienes puedes probar cada una de ellas, te
> recomiendo que crees tu propio archivo jail.local en vez de jail.conf, asi
> cada vez que actualices tendrás tus reglas guardadas sin problemas, todo es
> cuestión de paciencia y sobre todo de analizar tus logs para detectar los
> ataques que recibes, claro habrán otros que no veras como escaneos,
>
> Saludos
>
>
> El 3 de octubre de 2013 10:22, Ignacio Ordeñana <ifor1982 en gmail.com
> >escribió:
>
> > hola me gustaria saber como evitar ataque DDoS a mi servidor dns por
> medio
> > de iptables e inclusive como volver mas seguros el servidor dns para
> evitar
> > estos tipo de ataques
> >
> > saludos
> > _______________________________________________
> > CentOS-es mailing list
> > CentOS-es en centos.org
> > http://lists.centos.org/mailman/listinfo/centos-es
> >
>
>
>
> --
> Elio Bastias
> Project Manager
> _______________________________________________
> CentOS-es mailing list
> CentOS-es en centos.org
> http://lists.centos.org/mailman/listinfo/centos-es
>


Más información sobre la lista de distribución CentOS-es