Mitigating DDOS and Active Hacking Attempts

Virtualmin
1

So I came to Virtualmin from VHCS then ICP Omega then IMSCP so I’ve been using open source control panels for a while and two things:

  1. This project is great, and has great people running it and a great community
  2. I have been plagued with CPU Spikes from time to time which I can’t explain

Well after really diving into this for about a year and with some help from support tickets I think i’ve finally arrived at the point that these are DDOS attacks

They come on fast last a day or two days or less then miaculously clear up.

The load on the server could be 1.5 to 129!!! with a 1.9 Xeon 6 cores!

So I looked into Comodo and then Cloudflare but I dont know how many of you all are using ConfigServer Security & Firewall but I recommend it highly, it works with Virtualmin.

Easy to ban IPs you can set it up to auto ban ips based on criteria. But the thing I like the most is Ban all countries explicate or implicate.

Once installed if you are under attack you can dissallow all connections except by your home country, simplly with one line in the csf.conf

Just wanted to share it with the community!

David

This a piece of that file

Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry

and entirely relies on that service being available

Specify the the two-letter ISO Country Code(s). The iptables rules are for

incoming connections only

Additionally, ASN numbers can also be added to the comma separated lists

below that also list Country Codes. The same WARNINGS for Country Codes apply

to the use of ASNs. More about Autonomous System Numbers (ASN):

http://www.iana.org/assignments/as-numbers/as-numbers.xhtml

You should consider using LF_IPSET when using any of the following options

WARNING: These lists are never 100% accurate and some ISP’s (e.g. AOL) use

non-geographic IP address designations for their clients

WARNING: Some of the CIDR lists are huge and each one requires a rule within

the incoming iptables chain. This can result in significant performance

overheads and could render the server inaccessible in some circumstances. For

this reason (amongst others) we do not recommend using these options

WARNING: Due to the resource constraints on VPS servers this feature should

not be used on such systems unless you choose very small CC zones

WARNING: CC_ALLOW allows access through all ports in the firewall. For this

reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is

preferred

Each option is a comma separated list of CC’s, e.g. “US,GB,DE”

CC_DENY = “”
CC_ALLOW = “”

An alternative to CC_ALLOW is to only allow access from the following

countries but still filter based on the port and packets rules. All other

connections are dropped

CC_ALLOW_FILTER = “”
2

You cant prevent a DDoS with any software and only solution is hardware protection and a lot of bandwidth. Thats why DDoS protection isnt cheap. This is a fact just to make this part clear. What you can do is prevent bruteforce and/or hacking attempts and for this is enough Fail2Ban, CSF or some other similar software. Banning IP’s during DDoS will do no good as all of them will still hit your server and overload your firewall what as consequence will overload your CPU… and the chain reaction will unroll making your server unresponsive. More rules (IP’s) you have inside your firewall more of the CPU will be used, because each time IP try to connect your server must check that IP against all the rules before accepting or blocking this connection.

During a real DDoS attack the amount of IP’s hitting your server can reach thousands of them per second making even more requests per second. When this happens server CPU will immediately overload crashing almost anything installed on the server… including any software used as protection (F2B, CSF, modsecurity…).

3

Well that sucks then so the only solution is to use a service like Comodo or Cloudflare or something like that?

Is it just a matter of letting them take over DNS Name Servers then at the Registrar level?

How do I stop a DDOS that is just straight attacking my ip and not a website?

4

How do I stop a DDOS that is just straight attacking my ip and not a website?

OVH and Hetzner have DDoS protection as part of their offer, e.g. no need to pay anything extra for that. But keep in mind this isnt the top DDoS protection on the market. They are almost same in quality, still i think OVH is slightly better than Hetzner because of better network. This are the two cheapest hosting companies that i know who offer “decent” DDoS protection but forget any support if the problem isnt hardware or network failure, e.g. no hand holding one bit.

For real DDoS protection be prepared to pay 1000-2000$+/month for just one protected IP… if you really want best of the best. But i think the DDoS protection from earlier mentioned hosting companies should be enough for you.