2 cách chống Dos hiệu quả (Install mod_evasive for Apache to Prevent DDOS Attacks) | 2 cach chong Dos hieu qua (Install mod_evasive for Apache to Prevent DDOS Attacks) - Quản trị net diễn đàn chia sẻ thông tin các thủ thuật mạng, internet bảo mật thông tin dành cho giới IT VIệt hy vọng là nơi bổ ích cho cộng đồng

14-07-2009, 03:58 PM

I> Tiếng Việt

DDoS là một dạng tấn công, theo đó, hackers thực thi một số lượng lớn connection tới server, làm cho server bị quá tải.
Có nhiều cách để ngăn chặn, phòng ngừa các cuộc tấn công dạng này. Có thể sử dụng các giải pháp phần cứng (như firewall), hoặc phần mềm (DDoS-Deflate)

(D)DoS-Deflate - phần mềm chống DDoS khá hiệu quả
(D)DoS-Deflate là một phần mềm có nhiệm vụ dò tìm, thống kê các IP truy cập hệ thống (mass emailing, DoS pings, HTTP requests) thông qua "netstat -au" command. Khi nó tìm thấy một IP có số lượng connection tới nó quá lớn, nó sẽ tự động block IP này.

(D)DoS-Deflate chạy trên Linux, việc cài đặt, cấu hình, và sử dụng (D)DoS-Deflate rất đơn giản.
Các bước cài đặt và cấu hình (D)DoS-Deflate:

Cài đặt
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

Cấu hình
Sửa lại file /usr/local/ddos/ddos.conf
vi /usr/local/ddos/ddos.conf
Sửa lại các thông số: NO_OF_CONNECTIONS=50 //là số lượng connection đồng thời tối đa cho phép từ một địa chỉ IP.
Save lại.
Chạy file: /usr/local/ddos/ddos.sh
Xong.

Cách gỡ bỏ:
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos

Chống HTTP DoS or DDoS attack trong OS linux CentOS
Cho phép user "Apache" có thể sử dụng iptables - qua sudoers - để chặn các IP DDOS
Trong Apache có một mod là mod_dosevasive

Cấu hình mod
CODE(Mã)
LoadModule dosevasive20_module modules/mod_dosevasive20.so
<ifmodule mod_dosevasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
# Optional Directives - /usr/share/doc/mod_dosevasive/README for more info
DOSEmailNotify admin@domain.be
DOSWhitelist 192.168.1.*
DOSSystemCommand "sudo /sbin/iptables -A INPUT -s %s -j DROP"
</ifmodule>

Chú ý dòng in đậm sudo /sbin/iptables -A INPUT -s %s -j DROP
tức là nâng quyền user Apache cho phép sử dụng iptables chặn các IP không hợp lệ

Trước đó ta phải login vào root và cho phép user này sử dụng iptables bằng cách
CODE(Mã)
vim /etc/sudoers

thêm vào dòng này
CODE(Mã)
apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -s [0-9.]* -j DROP

Cấu hình mod trên có tác dụng chặn các IP request vào với điều kiện:
- Request vào cùng 1 trang nhiều hơn 5 lần / 1 giây
- Tạo hơn 50 concurrent requests trên cùng một child mỗi giây
- Tạo ra các request khác khi đã tạm cho vào blacklisted (on a blocking list)

(sưu tầm)

II> Tiếng Anh

1. Install mod_evasive for Apache to Prevent DDOS Attacks

mod_evasive, formerly known as mod_dosevasive is a Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack at the web server. When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, while reports abuses via email and syslog facilities. Or administrators can configure mod_evasive to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server.

Although mod_evasive is not a foolproof and complete DOS prevention system, but installing mod_evasive module for Apache will likely to reduce and stop certain DDOS attacks, minimizing the risks of web hosts and web sites been completely brought down inaccessible by malicious denial of service attack attempts.
How to Install mod_evasive

Login to web server via SSH.
For Apache 2.0.x, execute the following command: up2date -i httpd-devel
Continue with the following commands one by one for all version of Apache HTTPD server. wget command will download the current stable version 1.10.1 source tarball. cd /usr/local/src
wget http://www.zdziarski.com/projects/mo..._1.10.1.tar.gz
tar -zxvf mod_evasive_1.10.1.tar.gz
cd mod_evasive
For Apache 2.0.x , execute the following command: /usr/sbin/apxs -cia mod_evasive20.c
Else, for Apache 1.3.x,
/usr/local/apache/bin/apxs -cia mod_evasive.c
Above commands will compile mod_evasive to .so and subsequently add corrensponding AddModule and LoadModule lines into httpd.conf.
mod_evasive comes with default configuration value preset, however, if webmasters want to configure and set the value themselves, the following parameters have to be added into httpd.conf Apache configuration file below the AddModule section. For Apache 2.0.x, add the following text to httpd.conf below AddModule section:
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>
For apache 1.3.x, add the following text to httpd.conf below AddModule section:
<IfModule mod_evasive.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>
Save and exit the httpd.conf Apache configuration file.
Restart the Apache server with the following command: /etc/init.d/httpd restart

Note: If apxs is not found, it can be installed via “yum install httpd-devel” command.
Installation is completed. Note that mod_evasive has known issues with FrontPage Server Extensions. Administrator can configure the variables such as enlarging the DOSHashTableSize especially for busy server. But note that whenever when a sournce of attack is blocked, the blocking duration is automatically extended whenever the source attempts to connect again, thus the DOSBlockingPeriod needs not to be too long. Beside, the blocking is based on each sessions of Apache child process, thus the blocking has the lifespan of that particular session only. If webmaster set the maximum clients per process to a very low value, the blocking may not be very effective. All definitions of mod_evasive directives can be found on README file comes with the source codes.
Other than above common configuration parameters, mod_evasive also supports the following three advanced directives:
DOSEmailNotify users@example.com
DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’”
DOSLogDir “/var/lock/mod_evasive”
The DOSEmailNotify is particular useful, where you can set mod_evasive to send a notification email whenever a possible DOS attack is detected and blocked. For example, “DOSEmailNotify root” will send the email to root user. But note that mailer configuration (by default is “/bin/mail -t %s”) in mod_evasive.c or mod_evasive20.c is correct. You can create a symbolic link if needed to or modify the source code file.

2. Prevent and Stop DoS or DDoS Attacks on Web Server (D)DOS-Deflate

All web servers been connected to the Internet subjected to DoS (Denial of Service) or DDoS (Distrubuted Denial of Service) attacks in some kind or another, where hackers or attackers launch large amount connections consistently and persistently to the server, and in advanced stage, distributed from multiple IP addresses or sources, in the hope to bring down the server or use up all network bandwidth and system resources to deny web pages serving or website not responding to legitimate visitors.

There are plenty of ways to prevent, stop, fight and kill off DDoS attack, such as using firewall. A low cost, and probably free method is by using software based firewall or filtering service. (D)DoS-Deflate is a free open source Unix/Linux script by MediaLayer that automatically mitigate (D)DoS attacks. It claims to be the best, free, open source solution to protect servers against some of the most excruciating DDoS attacks.
(D)DoS-Deflate script basically monitors and tracks the IP addresses are sending and establishing large amount of TCP network connections such as mass emailing, DoS pings, HTTP requests) by using “netstat” command, which is the symptom of a denial of service attack. When it detects number of connections from a single node that exceeds certain preset limit, the script will automatically uses APF or IPTABLES to ban and block the IPs. Depending on the configuration, the banned IP addresses would be unbanned using APF or IPTABLES (only works on APF v 0.96 or better).
Installation and setup of (D)DOS-Deflate on the server is extremely easy. Simply login as root by open SSH secure shell access to the server, and run the the following commands one by one:
wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh
To uninstall the (D)DOS-Deflate, run the following commands one by one instead:
wget http://www.inetbase.com/scripts/ddos/uninstall.ddos
chmod 0700 uninstall.ddos
./uninstall.ddos
The configuration file for (D)DOS-Deflate is ddos.conf, and by default it will have the following values:
FREQ=1
NO_OF_CONNECTIONS=50
APF_BAN=1
KILL=1
EMAIL_TO=”root”
BAN_PERIOD=600
Users can change any of these settings to suit the different need or usage pattern of different servers. It’s also possible to whitelist and permanently unblock (never ban) IP addresses by listing them in /usr/local/ddos/ignore.ip.list file. If you plan to execute and run the script interactively, users can set KILL=0 so that any bad IPs detected are not banned.

Sưu tập từ internet

14-07-2009, 03:58 PM	#1
hoctinhoc Guest Trả Lời: n/a	2 cách chống Dos hiệu quả (Install mod_evasive for Apache to Prevent DDOS Attacks) I> Tiếng Việt DDoS là một dạng tấn công, theo đó, hackers thực thi một số lượng lớn connection tới server, làm cho server bị quá tải. Có nhiều cách để ngăn chặn, phòng ngừa các cuộc tấn công dạng này. Có thể sử dụng các giải pháp phần cứng (như firewall), hoặc phần mềm (DDoS-Deflate) (D)DoS-Deflate - phần mềm chống DDoS khá hiệu quả (D)DoS-Deflate là một phần mềm có nhiệm vụ dò tìm, thống kê các IP truy cập hệ thống (mass emailing, DoS pings, HTTP requests) thông qua "netstat -au" command. Khi nó tìm thấy một IP có số lượng connection tới nó quá lớn, nó sẽ tự động block IP này. (D)DoS-Deflate chạy trên Linux, việc cài đặt, cấu hình, và sử dụng (D)DoS-Deflate rất đơn giản. Các bước cài đặt và cấu hình (D)DoS-Deflate: Cài đặt wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh Cấu hình Sửa lại file /usr/local/ddos/ddos.conf vi /usr/local/ddos/ddos.conf Sửa lại các thông số: NO_OF_CONNECTIONS=50 //là số lượng connection đồng thời tối đa cho phép từ một địa chỉ IP. Save lại. Chạy file: /usr/local/ddos/ddos.sh Xong. Cách gỡ bỏ: wget http://www.inetbase.com/scripts/ddos/uninstall.ddos chmod 0700 uninstall.ddos ./uninstall.ddos Chống HTTP DoS or DDoS attack trong OS linux CentOS Cho phép user "Apache" có thể sử dụng iptables - qua sudoers - để chặn các IP DDOS Trong Apache có một mod là mod_dosevasive Cấu hình mod CODE(Mã) LoadModule dosevasive20_module modules/mod_dosevasive20.so <ifmodule mod_dosevasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 # Optional Directives - /usr/share/doc/mod_dosevasive/README for more info DOSEmailNotify admin@domain.be DOSWhitelist 192.168.1.* DOSSystemCommand "sudo /sbin/iptables -A INPUT -s %s -j DROP" </ifmodule> Chú ý dòng in đậm sudo /sbin/iptables -A INPUT -s %s -j DROP tức là nâng quyền user Apache cho phép sử dụng iptables chặn các IP không hợp lệ Trước đó ta phải login vào root và cho phép user này sử dụng iptables bằng cách CODE(Mã) vim /etc/sudoers thêm vào dòng này CODE(Mã) apache ALL=(ALL) NOPASSWD: /sbin/iptables -A INPUT -s [0-9.]* -j DROP Cấu hình mod trên có tác dụng chặn các IP request vào với điều kiện: - Request vào cùng 1 trang nhiều hơn 5 lần / 1 giây - Tạo hơn 50 concurrent requests trên cùng một child mỗi giây - Tạo ra các request khác khi đã tạm cho vào blacklisted (on a blocking list) (sưu tầm) II> Tiếng Anh 1. Install mod_evasive for Apache to Prevent DDOS Attacks mod_evasive, formerly known as mod_dosevasive is a Apache module that provides evasive maneuvers action in the event of an HTTP DoS or DDoS (Denial of Service) attack or brute force attack at the web server. When possible attacks are detected, mod_evasive will block the traffic from the source for a specific duration of time, while reports abuses via email and syslog facilities. Or administrators can configure mod_evasive to talk to iptables, ipchains, firewalls, routers, and etc. to build a comprehensive DDOS prevention system for the high traffic busy web server. Although mod_evasive is not a foolproof and complete DOS prevention system, but installing mod_evasive module for Apache will likely to reduce and stop certain DDOS attacks, minimizing the risks of web hosts and web sites been completely brought down inaccessible by malicious denial of service attack attempts. How to Install mod_evasive Login to web server via SSH. For Apache 2.0.x, execute the following command: up2date -i httpd-devel Continue with the following commands one by one for all version of Apache HTTPD server. wget command will download the current stable version 1.10.1 source tarball. cd /usr/local/src wget http://www.zdziarski.com/projects/mo..._1.10.1.tar.gz tar -zxvf mod_evasive_1.10.1.tar.gz cd mod_evasive For Apache 2.0.x , execute the following command: /usr/sbin/apxs -cia mod_evasive20.c Else, for Apache 1.3.x, /usr/local/apache/bin/apxs -cia mod_evasive.c Above commands will compile mod_evasive to .so and subsequently add corrensponding AddModule and LoadModule lines into httpd.conf. mod_evasive comes with default configuration value preset, however, if webmasters want to configure and set the value themselves, the following parameters have to be added into httpd.conf Apache configuration file below the AddModule section. For Apache 2.0.x, add the following text to httpd.conf below AddModule section: <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 </IfModule> For apache 1.3.x, add the following text to httpd.conf below AddModule section: <IfModule mod_evasive.c> DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 100 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 600 </IfModule> Save and exit the httpd.conf Apache configuration file. Restart the Apache server with the following command: /etc/init.d/httpd restart Note: If apxs is not found, it can be installed via “yum install httpd-devel” command. Installation is completed. Note that mod_evasive has known issues with FrontPage Server Extensions. Administrator can configure the variables such as enlarging the DOSHashTableSize especially for busy server. But note that whenever when a sournce of attack is blocked, the blocking duration is automatically extended whenever the source attempts to connect again, thus the DOSBlockingPeriod needs not to be too long. Beside, the blocking is based on each sessions of Apache child process, thus the blocking has the lifespan of that particular session only. If webmaster set the maximum clients per process to a very low value, the blocking may not be very effective. All definitions of mod_evasive directives can be found on README file comes with the source codes. Other than above common configuration parameters, mod_evasive also supports the following three advanced directives: DOSEmailNotify users@example.com DOSSystemCommand “su – someuser -c ‘/sbin/… %s …’” DOSLogDir “/var/lock/mod_evasive” The DOSEmailNotify is particular useful, where you can set mod_evasive to send a notification email whenever a possible DOS attack is detected and blocked. For example, “DOSEmailNotify root” will send the email to root user. But note that mailer configuration (by default is “/bin/mail -t %s”) in mod_evasive.c or mod_evasive20.c is correct. You can create a symbolic link if needed to or modify the source code file. 2. Prevent and Stop DoS or DDoS Attacks on Web Server (D)DOS-Deflate All web servers been connected to the Internet subjected to DoS (Denial of Service) or DDoS (Distrubuted Denial of Service) attacks in some kind or another, where hackers or attackers launch large amount connections consistently and persistently to the server, and in advanced stage, distributed from multiple IP addresses or sources, in the hope to bring down the server or use up all network bandwidth and system resources to deny web pages serving or website not responding to legitimate visitors. There are plenty of ways to prevent, stop, fight and kill off DDoS attack, such as using firewall. A low cost, and probably free method is by using software based firewall or filtering service. (D)DoS-Deflate is a free open source Unix/Linux script by MediaLayer that automatically mitigate (D)DoS attacks. It claims to be the best, free, open source solution to protect servers against some of the most excruciating DDoS attacks. (D)DoS-Deflate script basically monitors and tracks the IP addresses are sending and establishing large amount of TCP network connections such as mass emailing, DoS pings, HTTP requests) by using “netstat” command, which is the symptom of a denial of service attack. When it detects number of connections from a single node that exceeds certain preset limit, the script will automatically uses APF or IPTABLES to ban and block the IPs. Depending on the configuration, the banned IP addresses would be unbanned using APF or IPTABLES (only works on APF v 0.96 or better). Installation and setup of (D)DOS-Deflate on the server is extremely easy. Simply login as root by open SSH secure shell access to the server, and run the the following commands one by one: wget http://www.inetbase.com/scripts/ddos/install.sh chmod 0700 install.sh ./install.sh To uninstall the (D)DOS-Deflate, run the following commands one by one instead: wget http://www.inetbase.com/scripts/ddos/uninstall.ddos chmod 0700 uninstall.ddos ./uninstall.ddos The configuration file for (D)DOS-Deflate is ddos.conf, and by default it will have the following values: FREQ=1 NO_OF_CONNECTIONS=50 APF_BAN=1 KILL=1 EMAIL_TO=”root” BAN_PERIOD=600 Users can change any of these settings to suit the different need or usage pattern of different servers. It’s also possible to whitelist and permanently unblock (never ban) IP addresses by listing them in /usr/local/ddos/ignore.ip.list file. If you plan to execute and run the script interactively, users can set KILL=0 so that any bad IPs detected are not banned. Sưu tập từ internet

Chia Sẽ Kinh Nghiệm Về IT