Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: Being dos'd

  1. #21
    Join Date
    Nov 2019
    Beans
    14

    Re: Being dos'd

    Quote Originally Posted by EuclideanCoffee View Post
    I'm sorry you're being DDOS'd.

    You do not need a web server to protect your data.

    Fail2ban is good, but it won't protect you from ddos unless you understand how it works.

    Can you shut down your servers now, so you can spend the time you need to address the issue?

    Once you shut down, we'll go over a diagram on how to setup your server.
    Yes!

  2. #22
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Being dos'd

    Quote Originally Posted by EuclideanCoffee View Post
    You do not need a web server to protect your data.
    Strictly speaking, you don't. But you can add defense in depth. As I said, that's what I would do.
    Please read The Forum Rules and The Forum Posting Guidelines

    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

  3. #23
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,205
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Being dos'd

    Quote Originally Posted by youmustnot View Post
    the attack is happening again so ive closed all but one port again.
    They attack is always happening if you allow the source IPs from anywhere in the world. Only allow source IPs from places you specifically know to be friends. Right now, that is your house/work subnets and nowhere else.

    If you allow 22/tcp to the entire world, then the entire world will attack that. Secure ssh first by not running on the default port. Moving it to something else ... pretty much anything else ... will probably stop those attempts. My blog has a "secure ssh connections" article that DOES have commands and settings.

    And you still haven't said what a "game server" is. If you don't provide specifics, nobody can provide specific answers.

  4. #24
    Join Date
    Nov 2019
    Beans
    14

    Re: Being dos'd

    Quote Originally Posted by TheFu View Post
    They attack is always happening if you allow the source IPs from anywhere in the world. Only allow source IPs from places you specifically know to be friends. Right now, that is your house/work subnets and nowhere else.

    If you allow 22/tcp to the entire world, then the entire world will attack that. Secure ssh first by not running on the default port. Moving it to something else ... pretty much anything else ... will probably stop those attempts. My blog has a "secure ssh connections" article that DOES have commands and settings.

    And you still haven't said what a "game server" is. If you don't provide specifics, nobody can provide specific answers.
    ok i'll get that port changed over,

    the game server is a facepunch RUST game server. I'm using LGSM to manage it, i did mention it previously you must of missed it

  5. #25
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,205
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Being dos'd

    I caught the "rust" part, but that's like saying i'm running a C++ program. Very generic.

    Regardless, I’ve never heard of that game or the management software. Often, the failure is with the management stuff, so don't open that to any ip except yours - better would be to only allow localhost connections to the management interface. Use an ssh-tunnel for that. This is admin 101.

  6. #26
    Join Date
    Nov 2019
    Beans
    14

    Re: Being dos'd

    LGSM only runs in terminal i dont believe there is any outward looking interface, it just seems to be alot of bash scripts


    https://linuxgsm.com/lgsm/rustserver/


    the PC survival game "rust" by facepunch, not rust the programing language
    Last edited by youmustnot; 3 Weeks Ago at 12:57 AM.

  7. #27
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,205
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Being dos'd

    Ah - thanks for the education.

    Many years ago i ran a TF server on the internet for friends. Only brought it up when we all played. it was off otherwise. On weekends, they'd come over and we'd play on the LAN. We got tired and switched to a LAN-only game before we all got married and headed off to different parts of the world for other jobs.

    Seems there is an entire group of people who prefer to hack game servers. There's a twitter tag just for announcing who is doing what and their steamids. Guess that helps ban them more places?

  8. #28
    Join Date
    Sep 2014
    Location
    United States
    Beans
    281
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Being dos'd

    Sorry, I was away.

    Did things improve since installing ufw and changing your port?

    The next thing I would do is block all ports besides the game ports except incoming for port 22 (or whatever is ssh) from a trusted server.

    You can create your trusted server from anything, but have in mind a "plan b" in case your trusted server is compromised.

    Let me know if you need illustrations, and I'll provide them. From the general tone of your posts, it sounds like you're doing better.

    Concerning a web server, you won't need one. Fail2ban does a good job protecting web servers in my experience, but when you want to adapt it for a special service like a video game server, you'd need to tweak it. Since users are connecting without a browser, you'd need to be sure you have some sort of fail2ban configuration setup after the initial attack waves have died down.

    What is likely happening is that the banned user purchased a DDOS service. You can read more about this sort of thing from Krebs on Security's blog. He talks in depth about Minecraft DDOSing as it is more common and easy to explain.
    Last edited by EuclideanCoffee; 3 Weeks Ago at 01:32 PM.

  9. #29
    Join Date
    Nov 2019
    Beans
    14

    Re: Being dos'd

    the dos'ing is continuing, it stopped for a short while when i installed the firewall, but i think that was coincidence as its just as strong now.

    how do i see these IP's hitting the server? i dont see all that much in auth.log the odd failed login attempt from africa.

    I've enabled the 'robot' firewall within hertzner, and the spamming has stopped again.

    with the remaining ports that are open i can rate limit them:
    iptables -A INPUT -p udp -m udp --dport 27015 -m state --state NEW -m recent --set --name DEFAULT --rsource
    iptables -A INPUT -p udp -m udp --dport 27015 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --rsource -j DROP

Page 3 of 3 FirstFirst 123

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •