Different Linux questions

jakubek160 · 14. November 2016

Hello , I am newbie to this subject even though i had a lot of ts3 servers but never builded myself on linux and i hat a lot of attempts to connect through the sshd (54k failed attempts) and i have 2 questions , first how to configure different port than 22 in fail2ban and other is how to give root permissions to another user and disable root logging. Thanks for all answers!

jakubek160 · 14. November 2016

One more question , please help me configure the ipconfig to do not allow any other ddos because idk where to paste these settings to be started automaticly since every vps restart : #!/bin/bash

if [ "$1" = "start" ]; then
echo '::: Uruchamianie blokadu'

##################################################################
##################################################################
# ping_bloc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Ochrona przed atakiem typu Smurf
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Nie aktceptujemy pakietow "source route"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Nie przyjmujemy pakietow ICMP rediect, ktore moga zmienic tablice routingu
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Wlaczamy ochrone przed blednymi komunikatami ICMP error
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Wlaczenie mechanizmu wykrywania oczywistych falszerstw
# (pakiety znajdujace sie tylko tablicy routingu)
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 10 > /proc/sys/net/ipv4/ipfrag_time
echo 36024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# zwiekszenie rozmaru tablicy ARP
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 1 > /proc/sys/net/ipv4/tcp_rfc1337
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 20 > /proc/sys/net/ipv4/ipfrag_time
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Blokada przed atakami typu SYN FLOODING
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Właczenie proxy arp - dzieki temu serwer nie zdycha po kilku
#echo 1 > /proc/sys/net/ipv4/conf/all/arp_filter
# Zwiekszenie rozmiarutablic routingu
echo "18192" > /proc/sys/net/ipv4/route/max_size
##################################################################
##################################################################
# czyszczenie starych regul
iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -X

# ustawienie domyslnej polityki
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH ACK -j DROP
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN -j DROP
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH FIN,URG,PSH -j DROP

# wykrywanie skanowania NULL
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_NULL: "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# wszystkie pakiety uznane za NEW bez flagi SYN sa podejrzane
iptables -N skany
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j skany
iptables -A skany -p tcp --tcp-flags ALL RST -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_INVERSE: "
iptables -A skany -p tcp --tcp-flags ALL RST -j DROP
iptables -A skany -p tcp --tcp-flags ALL ACK -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_TCP_PING: "
iptables -A skany -p tcp --tcp-flags ALL ACK -j DROP
iptables -A skany -p tcp --tcp-flags ALL FIN -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_FIN: "
iptables -A skany -p tcp --tcp-flags ALL FIN -j DROP
iptables -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_XMAS-NMAP: "
iptables -A skany -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -A skany -p tcp -m limit --limit 10/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SKAN_INNE: "
iptables -A skany -j DROP

# Lancuch syn-flood (obrona przed DoS)
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 #-j LOG --log-level debug --log-prefix "SYN-FLOOD: "
iptables -A syn-flood -j DROP
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# ping
iptables -A INPUT -p icmp -s 0/0 -m limit --limit 1/s --limit-burst 4 -j ACCEPT

# utrzymanie polaczen nawiazanych
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

elif [ "$1" = "stop" ]; then
echo "::: Zatrzymanie blokady"
iptables -F
iptables -X
iptables -t nat -X
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -X

fi

jakubek160 · 14. November 2016

One more thing i've got some type of ddos i don't know if it's the software ddos or what but look at this : ScreenShooter - Check this screenshot! , only ts3 is on and the bots (normally it's like 10% of usage of cpu)

**Sebbo** · 14. November 2016

Hi,
first of all: Please read some articles, books, FAQs or anything else to get more knowledge about TeamSpeak and especially Linux or you may will get some trouble in the future, because your server is doing things, about you don't know anything.

YOU have to take care about your server and nobody else. Due of that, that you seems like to be interested in hardening your server, I'll help you.

Zitat von jakubek160

how to configure different port than 22 in fail2ban

All setting files on Linux are located under /etc/<software>/.

In your case, you have to take a look at /etc/fail2ban/ and there you'll find a file called "jail.conf". Just search for "ssh" in this file and change the port to your different one:

Code

[ssh]enabled  = trueport     = ssh # ssh is default 22; change it to your different port like 2223filter   = sshdlogpath  = /var/log/auth.logmaxretry = 3

Zitat von jakubek160

how to give root permissions to another user

I recommend you to add the user to the sudo group:

Code

usermod -g sudo anotherUser

The user "anotherUser" is now able to login or execute everything with root permissions using the command "sudo":

Code

sudo -i

Code

sudo service sshd status

Zitat von jakubek160

disable root logging.

Just tell your SSH settings, that the root user is not allowed to login via SSH (/etc/ssh/sshd_config):

Code

PermitRootLogin no

Zitat von jakubek160

One more question , please help me configure the ipconfig to do not allow any other ddos because idk where to paste these settings to be started automaticly since every vps restart

I'm not sure, but just do a Google research on your "echo" commands. I believe, that you can save the most of them in the "/etc/sysctl.conf" with a little bit different syntax. Do you know more about it, @master_d?

For these iptables firewall rules, I recommend you to install the software "iptables-persistent". By running the command...

Code

/etc/init.d/iptables-persistent save

...or...

Code

/etc/init.d/netfilter-persistent save

...depending on your operating system, it will save the current configured / set firewall rules to make them reboot persistent.

Zitat von jakubek160

One more thing i've got some type of ddos i don't know if it's the software ddos or what

I believe, if it's a DDoS attack, your server won't respond anymore. Please note, that webinterfaces are sometimes buggy or only show a current snapshot instead of a live graph. You rather should check your CPU loads using the "uptime" command:

Code

$ uptime
 19:43:34 up 6 days, 13:10,  1 user,  load average: 0,00, 0,02, 0,00

master_d · 15. November 2016

Zitat von jakubek160

...
##################################################################
# ping_bloc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Ochrona przed atakiem typu Smurf
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Nie aktceptujemy pakietow "source route"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Nie przyjmujemy pakietow ICMP rediect, ktore moga zmienic tablice routingu
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Wlaczamy ochrone przed blednymi komunikatami ICMP error
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Wlaczenie mechanizmu wykrywania oczywistych falszerstw
# (pakiety znajdujace sie tylko tablicy routingu)
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 10 > /proc/sys/net/ipv4/ipfrag_time
echo 36024 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# zwiekszenie rozmaru tablicy ARP
echo 1024 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 8192 > /proc/sys/net/ipv4/neigh/default/gc_thresh3
echo 1 > /proc/sys/net/ipv4/tcp_rfc1337
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 20 > /proc/sys/net/ipv4/ipfrag_time
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
# Blokada przed atakami typu SYN FLOODING
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Właczenie proxy arp - dzieki temu serwer nie zdycha po kilku
#echo 1 > /proc/sys/net/ipv4/conf/all/arp_filter
# Zwiekszenie rozmiarutablic routingu
echo "18192" > /proc/sys/net/ipv4/route/max_size
##################################################################...

Alles anzeigen

Everything within here can be configured within sysctl.conf

You have to change the syntax to something like this:

Code

net.ipv4.route.max_size = 18192

Also i have to mention something, that most administrators does not really understand.

Code

# Block ICMP-Requests is only a way to frustrate yourself, because you can not check easily, if your server is alive. Persons, who want to check or invade your server will only check the services, but no ICMP. So:
net.ipv4.icmp_echo_ignore_all = 0
# Ignore Broadcasts is not a problem, but as mentioned above, it is not really a security-feature.
net.ipv4.icmp_echo_ignore_broadcasts = 0

If you want to restrict the ICMP-Messages, use iptables to restrict it to the parts you really need, but not block them globally.
This is only my own point of view, other persons may think other ways round.

Different Linux questions

Teilen

Benutzer online in diesem Thema