need some assistance on firewalls

[jxrry59]

putting up (its built) a community forum vbulletin, running on a fedora OS ..the firewall is kind of confusing its called "linux firewall" and what i want to do is drop packets from a dos and set up an autoban script if we are dos'ed

the best i could do is allow a few trusted ips into the server and have it throw up a 404 for the general public

and......how important is this script?? whats the likelihood of this happening??

gonna be a small community based forum with some games and stuff, not for profit, just selfsupporting cause i always wanted to do it

[er0k]

http://www.netfilter.org/projects/iptables/index.html

[jxrry59]

thanks i jhave been through about 50% of that, would really like that autoban thingy..i would sleep better at night

[nihil]

Hi,

From what I have seen a random DoS attack on such a site would be most unlikely.

As very big sites with masses of resource get taken down by DoS attacks, I don't see how a firewall or script will protect you much. You still need the resource to receive, handle and drop the packets, so it is mostly a question of resource.

I would certainly restrict to trusted IPs, but remember that a lot of these are dynamic, so you will need to allow blocks/pools, which reduces the effectiveness of this approach.

You might also want to consider blocking proxies.

I feel that if you are attacked, it will be from within

[er0k]

maybe this will help a bit: http://www.litespeedtech.com/communi...php/t-466.html

[nihil]

I would suggest that your first defence should be to be careful who you let join in the first instance.

SYN/ACK?............. a communication has to take place before a decision can be made, and this takes up your resource. Even if you ban an IP address, you system has to check the incoming communication to determine whether to allow it or not?

DoS attacks are about volume as much as anything else?

[IKnowNot]

I've said this before, but it bares repeating: I am no expert.

If you understood everything above and still revert back to the original question, maybe this will help:

I don't like pre-made firewalls, whatever they are called. Fedora uses Netfilter ( IpTables ) by default, as do most newer Linux Distros. If you say they call it "linux firewall" then whatever ( I believe they use lokkit to administer, ) but Linux can also use IpChains, IPFWADM ( do they still use that in the newest 2.6 kernel? )

I usually just delete Fedora's rules for IpTables and create my own. I do this in two ways:

After deleting the stock ruleset, I first I create a ruleset which is only sufficient enough to allow the OS to load and have that load by default ( see the IpTables man pages on how to do this, but some versions of Fedora had trouble with this, )
Then I load ( via a script started in rc.local ) my rules ( this loads after everything else. )

Default is always DROP

To utilize this method, you have to understand the first link er0k posted. Not easy.

I am with nihil on this one as far as likelihood of being targeted from what you describe, but I believe in being forearmed as well.

But what is it exactly you are trying to achieve, and what exactly are your resources?

On the part of resources, I am asking
1) machine the firewall will be running on ( I am assuming it will be a separate machine from the web server? I am asking not only specs of the machine, but the network and web server )

2) OS: you said Fedora, but what version, and how have you modified / hardened it

3) what type of connection to the Internet

Why does this matter? I think it is obvious, but I am considered " Eccentric."
It matters because it will tell how much the system can handle.
It matters because it will tell how the system will handle things.
It matters because it may tell where a bottleneck would be.
It matters because it could tell how much knowledge you have, and how someone should adjust their answers so that you may understand. There exists some components of Netfilter that require patching kernel source and rebuilding the kernel to utilize ( and remember here, RedHat does not use the standard Linux placement for such things as executables such as IpTables: necessary to know before you try to build a custom IpTables package into a kernel.)
Depending on the version of Fedora, whether you have enabled SELinux, and what policies you have chosen to use and how you choose to impalement your solutions, you may have to create custom SELinux policies.

It matters because if you are on a dial-up connection, chances are you will loose conductivity before you max out resources on your network?

On the part of what you are trying to achieve, I am asking

1) are you specifically targeting DoS attacks?

2) can you limit right from the start what IP addresses ( or blocks ) will be allowed to access you web pages ( as suggested )

3) do you understand the question you posed?

Why does it matter? IBID

If you have read and understand the links that er0k posted, ( especially the first ) with two separate methods ( one more geared toward the firewall, the other geared toward the website itself ) then you should be off to a good start. As far as the second link goes, I am not that familiar with the code or program to verify, but as for the first, maybe this will help ( only if you comprehended and retained what was in the first link, which was a lot :
From http://www.siliconvalleyccie.com/lin...bles-intro.htm

Consider another example



iptables -A INPUT -p icmp --icmp-type echo-request \

-m limit --limit 1/s -i eth0 -j ACCEPT



The limit feature in iptables specifies the maximum average number of matches to allow per second. You can specify time intervals in the format /second, /minute, /hour, or /day, or you can use abbreviations so that 3/second is the same as 3/s.

In this example, ICMP echo requests are restricted to no more than one per second. When tuned correctly, this feature allows you to filter unusually high volumes of traffic that characterize denial of service (DOS) attacks and Internet worms.



iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT



You can expand on the limit feature of iptables to reduce your vulnerability to certain types of denial of service attack. Here a defense for SYN flood attacks was created by limiting the acceptance of TCP segments with the SYN bit set to no more than five per second.

( I am not advocating that site, but rather that came up on top with a quick Google search to illustrate what was intended. )

There are many more exotic ways of doing the same thing, but is it necessary?

Again, I am going to refer back to nihil on his questions, and further ask, are you refering to a DoS, or a DDos? Do you understand the difference?

Referring back, there are ways to include an IDS solution to identify hostile clients and have Netfilter block those addresses dynamically, as you requested. But do you really need this level? ( it goes beyond just a DoS. )
Do you have the resorces to run an IDS?
There are also other forums that could help with specific questions such as IDS questions, and integrating them into Netfilter..

Are you talking just a DoS, or a DDoS? The later would require a hands on, very knowledgeable approach, with extensive resources. ( search the archives, there have been links to such experiences. )

To tell you the truth, I could care less about your warm and fuzzy feeling you are looking for. That just ain't gonna happen if you now what you are doing and you have a computer connected to the Internet ( and it is turned on. )

If you did not understand what I have said, try Google.

If you do ( or do almost ), please post specific questions, maybe someone ( maybe even me ) could help answer them, if they have not already been answered.

[Eyecre8]

Nihil... tsk tsk...

DoS attacks are about volume as much as anything else?

Now I KNOW you know better than that! A single malcrafted packet can crash a service or even an OS hence being a DoS. I think what you meant was that DDoS attacks are about volume/Flooding.

I can give you an example of a DDoS that I experienced this weekend.... small bar with too many people who already had their drinks camping out there ....not letting others in to order.
Denied... didn't want to fight it... left for another bar


jxrry59,
On a more serious note... I believe you said you are using vbulletin?
I would be more concerned with how many posted vulnerabilities there are out there for it.

Run a simple search for:
vbulletin + exploit

or vbulletin + vulnerability