Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Being dos'd

  1. #1
    Join Date
    Nov 2019
    Beans
    14

    Being dos'd

    Hello

    i hope someone can help us.
    I rent a hertz server running ubunutu 18.04 and we run a number of Rust game servers on this.
    A few ban's here and there and we get a chap saying if we dont unblock him he'll dos the server, figured it was just a joke!

    However, our server keeps getting pounded with all the game servers running extremely slow and i cant log into putty.

    We've emailed hertz who have said they have detected an attack on our server and that they have email the attacker to ask them to stop?!
    and if it continues they'll block the IP.
    Thats all well and good I guess, but I'd rather get the tools i need to do it myself right away!
    bringing the server to its knee's like this is killing our game servers and we've only just started to get good numbers :/

    Very thankful for any advice.

  2. #2
    Join Date
    May 2013
    Location
    Galiza
    Beans
    1,999
    Distro
    Ubuntu

    Re: Being dos'd

    No experience with such servers and even less with that hosting service but I think you're looking for Fail2Ban.

  3. #3
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Being dos'd

    This article about Fail2Ban is a bit old, but Digital Ocean has some really good tutorials and instructions.

    I don't think there will be substantial changes between 14.04 and 18.04, but it might be worthwhile to do some further research.
    Please read The Forum Rules and The Forum Posting Guidelines

    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

  4. #4
    Join Date
    Nov 2019
    Beans
    14

    Re: Being dos'd

    hertz have just messaged us to say our server has been used to attack someone.

    They want us to tell them,

    1) how this happened
    2) how we are going to prevent it

    or they will block the server's IP

    my god, totally stitched up here.

    I dont know what log to point fail2ban at we dont have apache on this server, its just 3 game servers and sftp.

  5. #5
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Being dos'd

    Are you running nginx?
    Please read The Forum Rules and The Forum Posting Guidelines

    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

  6. #6
    Join Date
    Nov 2019
    Beans
    14

    Re: Being dos'd

    nope, no webservers

  7. #7
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Being dos'd

    So you are exposing your naked game servers unprotected? Your attacker is taking advantage of that. Your OS is an open door with a sign that says "Compromise me".
    Please read The Forum Rules and The Forum Posting Guidelines

    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

  8. #8
    Join Date
    Nov 2019
    Beans
    14

    Re: Being dos'd

    how would you protect them?

    I'll be honest I just followed a guide from LGSM
    https://linuxgsm.com/

    what sort of protection should i get?
    I'm more than willing to do the work!
    I just dont know what to do

  9. #9
    Join Date
    Jul 2008
    Location
    The Left Coast of the USA
    Beans
    Hidden!
    Distro
    Kubuntu

    Re: Being dos'd

    I would not expose a server (the machine) to the web without a well-protected web server. Then, I'd put the game server behind that.

    If LGSM does not operate under that environment, I'd bag the whole thing and find something else to do with my spare time. You have exposed your OS and machine to just the sort of thing you have encountered. The DoS might be the least of the things the attacker might have done. You've basically been walking through a public park without a stitch of clothing on.

    Both Apache and nginx can be hardened to reduce the threat of DoS.
    Please read The Forum Rules and The Forum Posting Guidelines

    A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.
    This universe is crazy. I'm going back to my own.

  10. #10
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    20,542
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Being dos'd

    Quote Originally Posted by QIII View Post
    So you are exposing your naked game servers unprotected? Your attacker is taking advantage of that. Your OS is an open door with a sign that says "Compromise me".
    +1000!!!

    A) Don't allow connections from anywhere connections cannot be trusted. i currently block about 10K subnets around the world from my web servers and about 4K from email SMTP. i use ipset for this.

    B) Always use a reverse proxy to ensure only valid URLs and requests even get to the the real server running any programs. Nginx can look at the URLs, use regex patterns to allow validated requests and block all others. Nginx is just 1 option. There are others.

    C) there are many levels of DDOS attacks. if they are targeted just at a server process then after you setup A and B, look at fail2ban. if they are attacking from only 1 ip or 20 ips, why haven't you blocked those already?

    D) if your administrative access is using passwords, you've already failed as an admin. if anywhere in the world can access your sftp or ssh connection, just shut down the system and move to a different service already. Only use key-based connections for admin use. Don't use passwords.

    E) Sounds like the system has been compromised. Time to wipe and restore from a backup you made PRiOR, secure it, run some hacking attempts yourself, get 100 friends to hack it, secure against all the found issues, then bring up that new system for your users. Don't allow the world access until you are positive it is secure enough and won't be cracked again in 5 min.. in short, nuke it for orbit since nothing on that system can be trusted anymore. This time setup a secure system, on a different ip, patch it at least weekly and have daily, automatic, versioned, backups. These aren't optional.

    F) for $20 someone can pay a DDOS group to DDOS systems for 24 hrs sufficiently to really cost your provider $$$$$. Many would just fire you and take the system down. Some people would use this as a way to switch to a service like cloudflare who can handle huge amounts of bandwidth that most cheap DDOS attempts wouldn't impact For $100, a much heavier DDOS can be ordered. For $2000, pretty much everyone but FB and Google would be hurt.

    There are anti-DDOS services, but those aren't cheap. They are mostly used by online gambling sites the week before huge sporting events to prevent any betting by competitors. They basically have huge pipes, analyze all inbound traffic before forwarding it off to the real servers unless it contains malicious content that abuses server resources.
    Around 2010, a south central Asian country was knocked offline through a DDOS of only 45Mbps. At the time, the entire country only had a T3 connection to the internet - DS-3 is 35Mbps. Basically, a single home computer in South Korea could have effectively DDOS'd that entire country. https://en.wikipedia.org/wiki/2010_c...cks_on_Myanmar

    To block a small subnet from any Ubuntu system, something like this:
    Code:
    $ sudo ufw deny from 185.234.216.135/24
    When you get over 50 rules like that, you'll probably want to switch to ipset which is much more efficient. it is also more complex to use. i block subnets, not single ips. My thought process is that any provider who doesn't proactively handle bad people needs all their subnets blocked. MSFT corporate subnets were DDOS'ng one of my sites about 8 yrs ago, so i blocked MSFT. Those rules stand today.
    Code:
    sudo /sbin/iptables -I INPUT -s  168.61.0.0/16  -j DROP
    sudo /sbin/iptables -I INPUT -s  168.62.0.0/15   -j DROP
    For servers, there is not type a, b, c answer. There are guides that talk big picture ideas for you to fill in with 20-50 commands for each idea based on YOUR system and requirements.
    Last edited by TheFu; June 15th, 2020 at 09:07 PM.

Page 1 of 3 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •