Editor's note: The method discussed in this article is only more effective in targeting small-scale malicious attacks.
The author's company has a total of 10 web servers, using Redhat Linux 9 as the operating system, distributed in major cities across the country, mainly providing HTTP services to users. There was a time when many users reported that some servers had slow access speed and were even unable to access. After checking, they found that they were attacked by DDoS (distributed denial of service attack). Because the server distribution is too scattered, the hardware firewall solution cannot be used. Although IPtables is very powerful and is enough to deal with most attacks, the Linux system itself has weak defense against DDoS attacks, so it has to find another way.
1. The charm of Freebsd
The advantage of Freebsd was that in an accidental test, a virtual Internet was made in the LAN, and a Windows client was used to send Syn Flood data packets to a Windows Server, Linux Server and a Freebsd without any precautions (common DDoS attacks were mainly done by sending Syn Flood data to the server). Windows completely stops responding when it reaches 10 packets. Linux starts to connect abnormally when it reaches 10 packets, while Freebsd can withstand more than 100 Syn Flood packets. The author decided to replace all the company's web servers with the Freebsd platform.
After using Freebsd, I did have a period of stable life. However, recently, some users reported that the website could not be accessed normally, showing that the user opened the web page slowly, or it was directly displayed as the website could not be found. Use netstat –a to see exactly 50 connections from a certain IP, all of which are FIN_WAIT 1. This is an obvious DDoS attack. It seems that Freebsd does not have a firewall, and it is not omnipotent. So I thought of installing a firewall.
After reading a lot of information, I learned that the most common firewall under Freebsd is called IP FireWall, which means IP firewall in Chinese, and is referred to as IPFW for short. But if you want to use IPFW, you need to compile the Freebsd system kernel. For security reasons, after compilation is completed, IPFW rejects all network services by default, including the system itself. Now I am completely "cold". How can I do the server I placed in another place?
Everyone must be careful here. If you are not careful about the configuration, your server may deny all services. The author tested it on a server equipped with Freebsd 5.0 Release.
2. Configure IPFW
In fact, we can completely regard the installation of IPFW as a software upgrade process. In Windows, if you want to upgrade a software, you need to download the upgrade package and then install it; the same is true for upgrading the software in Freebsd, but the function we upgraded today is already built-in by the system itself, and we only need to use this function. Before turning on this function, we need to do some preparations.
Let’s start configuring the basic parameters of IPFW.
Step 1: Preparation
In the command prompt, perform the following operations:
#cd /sys/i386/conf
If the prompt does not have this directory, it means that your system does not have the ports service installed. Remember to install it.
#cp GENERIC ./kernel_IPFW
Step2: Kernel Rules
Open the kernel_IPFW file with the editor and add the following four lines at the end of the file:
options IPFIREWALL
Compile the code of the package filtering part into the kernel.
options IPFIREWALL_VERBOSE
Enable logs recorded via Syslogd; if this option is not specified, even if you specify a log packet in the filtering rule, they will not be actually recorded.
options IPFIREWALL_VERBOSE_LI
MIT=10
Limits the number of records per package rule recorded through Syslogd. This option will be useful if you are under a lot of attacks and want to record firewall activity but don't want your journal writing to fail due to Syslog flooding records. With this rule, when an item in the rule chain reaches the limit value, its corresponding log will no longer be recorded.
options IPFIREWALL_DEFAULT_TO
_ACCEPT
This sentence is the most critical. Change the default rule action from "deny" to "allow". The purpose of this command is that by default, IPFW will accept any data, which means that the server looks like there is no firewall. If you need any rules, just add them after the installation is completed.
After the input is completed, save the kernel_IPFW file and exit.
3. Compile the system kernel
Since Freebsd and Linux are both operating systems that expose source code, unlike Windows, the code is encapsulated, we can only guess if there is any problem, or consult Microsoft. Since the Freebsd system kernel is constantly being upgraded, we usually need to compile the system kernel in order to use the functions in the new version or customize a more efficient and stable system.
Of course, we compile the kernel here to get a more efficient system, rather than using the new version of the functions;
During the compilation process, some errors may be prompted. In order to minimize error prompts, we have reduced the configuration file to a minimum. If any error prompts appear again, please carefully check whether there are any minor issues such as input errors.
Step1: Compile the required commands
Execute the following command on the command line:
#/usr/sbin/config kernel_IPFW
The following prompt will appear after the execution is completed: Kernel build directory is ../compile/kernel_IPFW Don't forget to do a make depend'
#cd ../compile/kernel_IPFW
Note in this place that the Freebsd version is.../../compile/kernel_IPFW, but the Freebsd version 5.0 is.../compile/kernel_IPFW.
#make
#make install
Step2: Start compiling the kernel
Depending on the system performance differences, the time also varies. A server with an ordinary dual P4 XEON 1GB memory can be completed in about 5 minutes.
4. Load the startup item
The compilation is completed. If we want the system to automatically start IPFW and record the logs, we need to perform the following operations:
Step1: Editor edit/etc/
Add the following parameters:
firewall_enable="YES"
Activate Firewall Firewall
firewall_script="/etc/"
Firewall firewall default script
firewall_type="/etc/"
Firewall custom scripts
firewall_quiet="NO"
Whether to display rule information when enabling scripts; if your firewall script will no longer be modified, then you can set it to "YES".
firewall_logging_enable="YES"
Enable Firewall's Log Recording
Step2: Edit /etc/file
Add the following content at the end of the file:
!ipfw
*.* /var/log/
The purpose of this line is to write the IPFW log into the /var/log/ file. Of course, you can also specify other directories for the log file.
After completing the above steps, restart the computer.
5. Use and save rules
Once you're done, you'll find that you can log in to your remote server using SSH.
Step1: Test
When you first log in, you won't notice any changes in your system, but you can try the following command: #ipfw show, which will output the following result: 65535 322 43115 allows ip from any to any. It tells us that IPFW has been enabled successfully and allows any connection.
Step2: Use
Enter the following command at the command prompt: #ipfw add 10001 deny all from 218.249.20.135 to any.
Denied any services from 218.249.20.135. After execution is completed, you will find that all services from IP218.249.20.135 will be denied.
Step3: Save
Add this code to the /etc/ file: ipfw add 10001 deny all from 218.249.20.135 to any, run the following command: #sh /etc/
all
It means that when saving it inside, the previous # number is not required, and then reload the IPFW rules.
Or restart your system once and your IPFW will take effect. As long as you do not manually release it, all information from 218.249.20.135 will be rejected.