# Optmising a VPS for DOS Resiliance

## PaulBain

I have a VPS running with Slicehosts and frequently it's being hit with DoS attacks on Apache and Postfix, the two major memory eating process I'm running.

I've installed fail2ban to monitor the Postfix log files, DenyHosts for SSH and mod_evasive for Apache, all of which are performing very well. 

My questions is, can anyone suggest any other steps I could take to reduce the impact of DoS attacks.

Paul

----------

## msalerno

Well, for SSH you could setup port knocking or even better, fwknop.  Both of the options work through iptables, so prior to being able to log in via ssh, you would need to be authorized to connect via iptables.  This would greatly reduce the load on your sshd daemon.  Also keep in mind that fail2ban and DenyHosts probably do nothing if it's a distributed attack.

----------

## Rexilion

 *PaulBain wrote:*   

> I have a VPS running with Slicehosts and frequently it's being hit with DoS attacks on Apache and Postfix, the two major memory eating process I'm running.
> 
> I've installed fail2ban to monitor the Postfix log files, DenyHosts for SSH and mod_evasive for Apache, all of which are performing very well. 
> 
> My questions is, can anyone suggest any other steps I could take to reduce the impact of DoS attacks.
> ...

 

I think a more clean solution would be to use iptables for all of these servers because that would be more efficiënt:

http://bipinkdas.blogspot.com/2008/09/prevent-dos-attack-in-linux.html

Is a good example to start with.

----------

## beandog

 *msalerno wrote:*   

> This would greatly reduce the load on your sshd daemon.  Also keep in mind that fail2ban and DenyHosts probably do nothing if it's a distributed attack.

 

Agreed, if it's a DDoS then you're probably just hosed.  But if you wanted to reduce the load that jerks are causing you, look at banning blocks of bad IP addresses from blacklists on the web, setup SSH to only auth against pubkeys, or use a knock daemon.  And look at lighttpd if you can run it, or something more suited for a VPS if you don't really need apache.

----------

## PaulBain

Thanks for your advice guys! 

Doesn't the iptables solution you proposed essentially do the same thing as fail2ban, although fail2ban can be more selective about denying users. It does almost the same behaviour as the proposed script, and does block using iptables. 

And re lighttpd, I'd LOVE to use it! But too many sites rely on apache features and I don't have the time to rewrite them or force the owners to fix the problems.

Re blocking block of IP addresses, where would be a good place to find info about these blocks? That sounds like a great suggestion.

99% of my traffic comes from the UK or the US, so I guess I can be fairly harsh when blocking ranges.

Thanks again!

----------

## beandog

 *PaulBain wrote:*   

> 
> 
> Doesn't the iptables solution you proposed essentially do the same thing as fail2ban, although fail2ban can be more selective about denying users. It does almost the same behaviour as the proposed script, and does block using iptables. 

 

well, fail2ban can work *with* iptables.  iptables is just saying (in really basic terms) ignore anything from this ip address.  fail2ban tells you which IP addresses to ignore, though because they are trying to do something naughty.

----------

## msalerno

Denying blocks of IP's is for a website is usually not a good approach.  You have to be very careful, look at SPEWS.  I used to hate dealing with those people, but my ip's would get blacklisted because I was on a shared subnet and someone on that subnet was a spammer.  Even when the spammer was shut down, it was still a nightmare to get removed.  If you decide to go with a site to provide you with blocks of IP's to ban, you need to understand how they generate their list and how easy it is to get removed from the list.

SSH - Deny all - Don't bother with fail2ban or denyhosts, use port knocking or SPA (links in my first post) as well as key based auth.

Postfix - fail2ban or some other log watching app.

Apache - fail2ban or some other log watching app.

The first thing to do for any log watcher app would be to figure out common signs of an attempted attack.  For example, how many 401's do you need to see from an IP before you ban it?  But better yet, if you see an ip trying something like http://foo.bar/system32/cmd.exe?format%20%c you should block them on the first offense.

----------

## PaulBain

That's awesome, thanks for your advice. I think I'll try to avoid IP blocks if I can then, sounds like it's probably more hassle than it's worth!

fwknow also looks great, I'll defiantly look at getting that hooked up!

Thanks everyone for your advice, it's very much appreciated.

----------

