What happened to OC? - CLOSED Carnage?!
AntiMomentum

Halo CE servers - DDoS Firewall

18 posts in this topic

Tiddy-bits:

Very nicely done.

 

In my case, I run Cisco ASA firewalls, with a Cisco ASR router between them and the Internet. So most Layer 7 attacks are already being dealt with.

 

However, the bastard just runs up the fragmented UDP attacks, and floods my 1G fiber with so much bandwidth, traffic stops. I also have a rented server in NYC, and that thing gets knocked offline the same way. Only lasts for a short period of time, like less than a minute, but then comes back a few minutes later, so my ISP is doing some sort of DDOS protection, but it's not quick enough to keep people from getting kicked off. I haven't had a Layer 7 attack for a long time.

AntiMomentum and PopeTX28 like this

msalerno1965 in steam

[email protected] - email

 

Share this post


Link to post
Share on other sites
On 10/23/2020 at 1:34 PM, msalerno said:

Very nicely done.

 

In my case, I run Cisco ASA firewalls, with a Cisco ASR router between them and the Internet. So most Layer 7 attacks are already being dealt with.

 

However, the bastard just runs up the fragmented UDP attacks, and floods my 1G fiber with so much bandwidth, traffic stops. I also have a rented server in NYC, and that thing gets knocked offline the same way. Only lasts for a short period of time, like less than a minute, but then comes back a few minutes later, so my ISP is doing some sort of DDOS protection, but it's not quick enough to keep people from getting kicked off. I haven't had a Layer 7 attack for a long time.


Thanks for reminding me! I've caught up on sleep lol. The highest spike I've seen is 2.4Gb/s (I will update the OP). Fortunately I know Linode (and probably DO) have higher incoming connection bandwidth than this! Even their lowest tier server have higher speeds, but 1 core alone won't drop the flood even with the bandwidth.

 

And yep. He will just use floods as long as it works for him. He did not use any layer 7 attacks until I stopped the floods first, then he switched over to almost only only layer 7 attacks. This solution works for both :)

Edited by AntiMomentum

Share this post


Link to post
Share on other sites

Hi there! First off I just want to say thanks so much for spending the time coming up with this and sharing with us here.

 

Events have transpired that I could use a DDoS firewall on my own servers after they were taken down by an attack last night.

 

I have got stuck following your guide above. When I run

sudo ./firewall.sh

 I lose ssh connection to my server and get back in until I reboot it :P 

 

I am using a Debian 9 Linode as suggested above. I don't know if it matters or not but I am running the commands as a user with sudo rather than using the root user itself.

 

Just to provide as much info as possible these are the commands I ran (after installing Wine). This is a fresh Debian 9 install.

 

sudo apt install iptables-persistent netfilter-persistent
sudo modprobe ip_conntrack
sudo apt-get install nload
sudo apt-get install tshark
sudo nano /etc/sysctl.conf (copied in the lines from the pastebin)
sudo sysctl -p
sudo apt install ipset
sudo apt-get install git -y
git clone https://github.com/antimomentum/haloce.git
chmod +x firewall.sh
chmod +x tc.sh
sudo ./firewall.sh

 

I'm probably following your instructions wrong.  I would really appreciate any help! :) 

Enclusion likes this

Share this post


Link to post
Share on other sites
1 hour ago, Broomish said:

Hi there! First off I just want to say thanks so much for spending the time coming up with this and sharing with us here.

 

Events have transpired that I could use a DDoS firewall on my own servers after they were taken down by an attack last night.

 

I have got stuck following your guide above. When I run


sudo ./firewall.sh

 I lose ssh connection to my server and get back in until I reboot it :P 

 

I am using a Debian 9 Linode as suggested above. I don't know if it matters or not but I am running the commands as a user with sudo rather than using the root user itself.

 

Just to provide as much info as possible these are the commands I ran (after installing Wine). This is a fresh Debian 9 install.

 


sudo apt install iptables-persistent netfilter-persistent
sudo modprobe ip_conntrack
sudo apt-get install nload
sudo apt-get install tshark
sudo nano /etc/sysctl.conf (copied in the lines from the pastebin)
sudo sysctl -p
sudo apt install ipset
sudo apt-get install git -y
git clone https://github.com/antimomentum/haloce.git
chmod +x firewall.sh
chmod +x tc.sh
sudo ./firewall.sh

 

I'm probably following your instructions wrong.  I would really appreciate any help! :) 


Hey, thanks for the report!

This line drops ssh
iptables -t raw -A PREROUTING ! -p udp -j DROP
and this does as well
iptables -A INPUT -j DROP

So put a line above each of those to allow yourself, example:
iptables -t raw -A PREROUTING -s 192.168.254.254 - j ACCEPT
iptables -t raw -A PREROUTING ! -p udp -j DROP

and 

iptables -A INPUT -s 192.168.254.254 -j ACCEPT
iptables -A INPUT -j DROP

With 192.168.254.254 replaced with your IP you want to SSH from. If it does or doesn't work please let me know!

Also I apologize I did delete the sshfirewall on my github recently (I was clearing up clutter and it wasn't up to date anyways). I'll have an ssh version soon, but that's pretty much what it'll be anyways unless it doesn't work

*EDIT*
Also yea, the commands you have aren't up to date. Check the top of my original post to see current firewall install instructions! For example these are no longer used:

sudo apt install iptables-persistent netfilter-persistent
sudo modprobe ip_conntrack

Running with sudo should be fine though, more secure anyways.

So for the firewall from the top:
apt install ipset
apt install git  <---if needed
git clone https://github.com/antimomentum/haloce.git
cd haloce
chmod +x firewall.sh
chmod +x tc.sh
Edit the firewall.sh to allow your SSH IP:
nano firewall.sh
Then execute it:
./firewall.sh
start the halo server, once it's running execute:
./tc.sh

That will install the firewall, and it can still be flushed with a reboot

Edited by AntiMomentum
Broomish and Enclusion like this

Share this post


Link to post
Share on other sites
1 hour ago, Broomish said:

Thanks for the quick response :)

 

I will try those changes out tomorrow


No problem! 

Also, just in case you weren't aware, on Linode and DigitalOcean you don't actually need ssh enabled to access your server: https://cloud.linode.com/linodes
To the right of "Reboot" click on the three dots and click "Launch LISH Console"
This will actually give you 2 separate terminal screens, WebLish and Glish :)

Also if you need more terminals, the screen command works in the Glish window/terminal quite well. Not so much in the Lish terminal but you only need one for screen anyways :)

Also the "Imagize" option will let you save the whole server as long as it's under 6144MB in space :) Just make sure it's powered down before you image it

If you're security concerned about that Lish/Glish web UI you can enable 2 factor authentication on your account as well :) 

But yeah I usually launch firewall.sh + my halo server from the WebLish screen and then click on Glish to do everything else like ./tc.sh (and the screen command if needed) :)

Oh and some good news is Linode has a Firewall beta in the works that will be in the Atlanta region in about a month, I've tested it at the Toronto region and with my firewall I was *easily* filtering attacks using just 1 cheap shared cpu :)
(Their firewall is also really easy to use unlike mine, still in beta tho so you have to sign up for it)

Also for whatever reason the New Jersey region seems to just get less traffic from attacks, I have no idea why. But it might already be possible to filter the DDoS attacks using only 1 shared cpu in that region with my firewall.

And one last tip for now, when you go to create a server the Linode Marketplace has "Docker" which uses Debian 9 as the OS anyways. But regular Debian 9 is just fine too

Edited by AntiMomentum
Enclusion and Broomish like this

Share this post


Link to post
Share on other sites
2 hours ago, AntiMomentum said:

If you're security concerned about that Lish/Glish web UI you can enable 2 factor authentication on your account as well

Just use SSH keys with other password login disabled....

AntiMomentum and Broomish like this

Share this post


Link to post
Share on other sites
1 hour ago, Enclusion said:

Just use SSH keys with other password login disabled....

 

First thing I do is:
service ssh stop
or outright disable

Plus given there is a CLI for Linode,DO,AWS and others respectively to spin up servers in your account's name it's better to have 2FA enabled, rather than not, anyways (not to mention regular web ui login). It's not a cli specific to just a server either, but your entire account. It's a cli for automation purposes but most cloud services tend to have some form of this.

cloud services like aws and google cloud tend to require some ssh configuration though if you're trying to get it working behind a firewall, and ssh keys are certainly better than passwords no doubt

Edited by AntiMomentum
Broomish likes this

Share this post


Link to post
Share on other sites

Update!

 

Those changes to firewall.sh that AntiMomentum suggested fixed my ssh issue :)

 

The good news is that I can now run my server with the firewall enabled and join via direct IP.

 

However, the server is not appearing in the server list. (I tested without firewall and it appears fine).

 

I should point out that I am NOT using docker currently. I am running haloceded.exe through wine directly. So I also made these changes to firewall.sh:

 

On 23/10/2020 at 2:45 PM, AntiMomentum said:

IF NOT USING DOCKER or HAVING ISSUES WITH DOCKER:
Take out this line:  iptables -t raw -A PREROUTING -s 172.17.0.2 -j ACCEPT

and add this line directly above the INPUT line:
iptables -A INPUT -i eth0 -p udp -m udp --dport 2302 -j ACCEPT

 

I am wondering that because I have deviated from the recommended docker approach that is why I am having the server list issue.

 

 

 

 

Here is some more details about my server setup but it is probably irrelevant.

I added 2 unix users: admin and haloce

I added admin to sudo group and blocked ssh for the root user

As the admin user I run: sudo ./firewall.sh

As the haloce user I run (in a different ssh session): wineconsole haloceded.exe -port 2302 -path my_path

Once that starts, as the admin user I run: sudo ./tc.sh

 

So the "logic" of this approach is a get to run the halo server as an unprivileged user. 

Enclusion likes this

Share this post


Link to post
Share on other sites
  • Recently Browsing   0 members

    No registered users viewing this page.