Hey, well… lately I am getting random DOS attacks, nothing big but sometimes those are doing their job. It’s not like a full blown DDOS, but a single IP, from time to time, tries this against my servers.
Let’s start here a discussion about the best solution and how can one implement it. What I tried:
-DDOS deflate: ancient script, still working nothing to do with it’s age; but it is very limited, basically just counts the connections (netstat) via a cron job and above a certain threshold it writes in iptables a DROP rule. Biggest problem - it is broken and you can’t whitelist yourself, your big clients behind a single IP, you get it, you and your most important users have to suffer;
-Citadel: announced as a DDOS deflate replacement, exactly for the above reasons. But it just doesn’t work, sometimes you get an email, but no rules in iptables; easy to install/configure but for some weird reason doesn’t play nicely with me. Man, I mean… I asked a friend to DOS me and it just kept going
-Apaches mod_evasive: tried to configure, didn’t work, I should get back to this one. But it’s only for apache; can it write (I think not) a rule in iptables?
-Iptables: same concept, it allows a predefined number of connections, most of the people use that - problem is it can be pretty complex and on a busy server you get huge CPU loads, and as the list of the banned IPs grows (I also use Fail2Ban for SSH, SASL, Postfix, and Proftpd with multiport all protocols permanent ban, which really lowers the attack surface and uses a lot less resources) you need scripts to flush the rules - it doesn’t cut it for me;
-Fail2BAN: again, nice little tool, watches the logs for multiple connections from the same IP, but it doesn’t work for some reason with Virtualmins multiple paths to log files which is something like (default) /home/*/logs/access_log. In fact if I throw anywhere an * in the paths it stops working.
Is there any Open Source tool that I missed? One that runs on Centos 6.x with iptables? How do you people mitigate small DDOS (except for the obvious manual methods), without using a CDN and stuff?