HOWTO: KISS Firewall, DDoS Deflate, BFD - security that's light on resources

littleoak

Verified User
Joined
Jul 19, 2008
Messages
156
Location
Chicago, IL
This tutorial describes how to install K.I.S.S. My Firewall - Version 2.2 as edited and distributed by Nobaloney Internet Services, DDoS Deflate from MediaLayer, and Brute Force Detection (BFD) from R-FX Networks.

Q. Who should use this?

A. These three software packages provide a basic level of security that is very light on server resources. The combination is ideal for a VPS.

Q. Why should I use this over APF + BFD, or CSF + LFD?

A. Both APF and CSF will provide a more robust firewall. However, in many cases the added features of APF or CSF are unnecessary and may be seen as too complicated to set up and maintain. The installation steps I describe here can be performed by anyone with basic knowledge of ssh commands. Also, KISS, DDoS Deflate, and BFD uses far less resources.

K.I.S.S. My Firewall - Version 2.2, edited and distributed by Nobaloney Internet Services:

Code:
cd /usr/local/sbin/
wget http://www.nobaloney.net/downloads/kiss/kiss.kernel-2.8.16-and-newer
mv kiss.kernel-2.8.16-and-newer kiss
chmod 0700 kiss
echo "/usr/local/sbin/kiss start"  >> /etc/rc.d/rc.local
/usr/local/sbin/kiss start
Kiss is now installed.

-----

DDoS Deflate from MediaLayer:
Code:
wget [url]http://www.inetbase.com/scripts/ddos/install.sh[/url]
chmod 0700 install.sh
./install.sh
cd /usr/local/ddos
nano ddos.conf
Modify the following:
Code:
APF_BAN=0
Change root to your email address:
Code:
EMAIL_TO="root"
Save your work in nano.
DDoS Deflate is now installed.

-----

Brute Force Detection (BFD) from R-FX Networks.
Code:
wget http://www.r-fx.ca/downloads/bfd-current.tar.gz
tar -zxf bfd-current.tar.gz 
./install.sh
cd /usr/local/bfd/conf.bfd
nano conf.bfd
Go to the following line:
Code:
BAN_COMMAND=”/etc/apf/apf -d $ATT_HOST {bfd.$MOD}”
Replace it with:
Code:
BAN_COMMAND="/sbin/iptables -I INPUT -s $ATTACK_HOST -j DROP"
If you want email alerts change:
Code:
EMAIL_ALERTS="0"
to:
Code:
EMAIL_ALERTS="1"
and replace root with your email address on this line:
Code:
EMAIL_ADDRESS="root"
Set the number of failed logins an IP must have before it's blocked:
Code:
TRIG="15"
Then save. Next:
Code:
cd /usr/local/bfd/
nano ignore.hosts
Add your IP address and any other IP addresses you want safe listed to this file.
Finally:
Code:
/usr/local/sbin/bfd -s
BFD is now installed.

You now have basic DDoS protection, a nice iptables based firewall, and brute force detection installed on your server. All three are very light on resources.
 
Last edited:
Note we have several versions of kiss, and we're currently working on one which will work with our Cobalt RaQ 550 servers reprovisioned as DirectAdmin servers.

Jeff
 
I exchanged emails with Jeff about creating a DirectAdmin-ready version of DDoS Deflate and BFD. He's graciously offered to host the modified versions. I will be providing some beta versions before a stable version is available.
 
Hi

I’ve installed ddos deflate on centos 4.6 , but i seem to have a slight bug. When i get an email informing me of a dos attack the email reads:


Banned the following ip addresses on Tue Aug 12 17:54:01 BST 2008

169 with 169 connections



So it is showing the number of connections twice but not the offending ip address, any ideas?

Thanks in advance

Roland
 
Roland,

There seems to be a slight problem with the way DDoS deflate is determining the IP addresses to ban. I'm working on a DA-specific version that should be available within a few days. I'll add this to the list of things to fix.
 
Roland,

There seems to be a slight problem with the way DDoS deflate is determining the IP addresses to ban. I'm working on a DA-specific version that should be available within a few days. I'll add this to the list of things to fix.

thanks, i'll keep an eye on this thread.
 
Roland,

There seems to be a slight problem with the way DDoS deflate is determining the IP addresses to ban. I'm working on a DA-specific version that should be available within a few days. I'll add this to the list of things to fix.

i don't know if it helps but if u run the script manually through ssh it shows:

74
16 72.36.135.242
10 146.82.200.223
6 146.82.200.42
4 72.36.159.123
3 72.36.191.2
3 72.36.190.2
3 216.39.90.2
1 servers)
1 Address
1 88.215.142.238
1 78.147.142.169
1 71.115.126.139
1 66.197.95.12
1 192.168.42.42

so as you can see it's picking up some of the ip's but 74 of the ips it hasn't. and it shows these as blank.
 
Cybex,

The official version of DDoS deflate will not work properly with DA and CentOS 4 or 5. I created a DA-specific version and created an install script for it at called Quick Deployment.

You may install the DA specific version of DDoS deflate manually by:

Code:
wget -q -O /usr/local/ddos/ddos.conf http://www.oakdns.net/downloads/ddos.conf
wget -q -O /usr/local/ddos/LICENSE http://www.oakdns.net/downloads/LICENSE
wget -q -O /usr/local/ddos/ddos.sh http://www.oakdns.net/downloads/ddos.sh
chmod 0755 /usr/local/ddos/ddos.sh
cp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddos
/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1
 
Thank you very much, I will install it once I got my new DirectAdmin server running.
 
Thanks for the install guide, a couple of things I noticed with BDF.

You have a dash in $ATT-HOST, the original variable has an underscore. My system wasn't banning IPs, I changed to an underscore and I'm waiting to see if it triggers the rule correctly...

BAN_COMMAND=”/sbin/iptables -I INPUT -s $ATT_HOST -j DROP”

directory should be "/usr/local/bfd/", you're missing an "l" in "local".

Thanks for putting this together. It's a nice little setup.

:)
 
Mjm,

Thank you for pointing those errors out!

Edit: Woops, I see where I made the typo.
 
Last edited:
Just looked over the BFD code and it appears that they're using the variable '$ATTACK_HOST' rather than '$ATT_HOST'

I'm testing this on my system right now... Will report back once I get a hit.
 
That did it.

BAN_COMMAND="/sbin/iptables -I INPUT -s $ATTACK_HOST -j DROP"

Email notification:

SOURCE ADDRESS: 64.41.xx.xx
TARGET SERVICE: sshd
FAILED LOGINS: 29
EXECUTED COMMAND: /sbin/iptables -I INPUT -s 64.41.xx.xx -j DROP
 
Mjm,

Thanks! I've been using an older version of BFD on my machines (0.8 rather than 1.2) and it uses the $ATT_HOST variable. The newer version seems to have switched to $ATTACK_HOST.
 
does anyone have any idea if there is a way to increase the time between failed logins on proftp and ssh?

i.e. is there somewhere i can specify that if someone enters an incorrect login they have to wait for example 10 seconds until they can try again.
 
Usefull if you ger error mails with DoS-Deflate

Emails Look like

Banned the following ip addresses on Tue Aug 5 01:32:01 BST 2008

1120 with 1120 connections

EDIT ddos.sh file located in /usr/local/ddos directory if you installed in the default fashion

In the original script line 117 reads…

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

this should be rewritten to read as follows…

netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST

IMPORTANT: this command should be written on a single line, you should also check each character as selecting and copying can sometimes lead to different characters being pasted (i.e. single quotes might not paste as single quotes!!!!!
 
Last edited:
You can probably cut it down to:
Code:
netstat -ntu | grep ffff | awk '{print $5}' | cut -d: -f4 | sort | uniq -c | sort -nr > $BAD_IP_LIST
 
Back
Top