Hello!

For a few weeks, one of the sites on my server is getting attacked. The site is on dedicated ip. When I do a tcpdump I see various diffrent ips attacking. Most of the ips start with 15, 13, 21 etc. It causes apache to fail and server becomes unreachable. I have installed apf with antidos and mod_dosevasive. But they don't seem to help. Actally I'm not even sure wheter they are working or not.

Because the site is on a dedicated ip, I just change the ip of the site and request the datecenter to nullroute the current ip. Then it comes back to normal but I can't be online all the time.

APF seems like working, no errors when I type apf -r but When I add IP's to deny hosts those IPs still can reach the server. And when I type apf -st the last two lines make me think that firewall isn't active. And altough I set antidos active the antidos log file is always emty.

.......
Dec 13 04:02:03 host apf(9269): loading sysctl.rules
Dec 13 04:02:03 host apf(9269): determined (OUT_IF) eth0 has address xxxxxx
Dec 13 04:02:03 host apf(9269): determined (IN_IF) eth0 has address xxxxxxx
Dec 13 04:02:03 host apf(9218): parsing block.txt into /etc/apf/ds_hosts.rules
Dec 13 04:02:03 host apf(9218): downloading xxxx
Dec 13 04:02:03 host apf(9218): activating firewall
Dec 13 04:02:02 host apf(9142): firewall offline
Dec 13 04:02:02 host apf(9142): flushing & zeroing chain policies



What are your reccomendations?

and

How can I block an IP, for example which starts with 80 ? What is the mask for that? I want to block each ip that starts with 80.

Thank you.

apf are configured to automatically block ips?

Hola

Make sure that you have set
DEVM="0" in your conf.apf.

Use the following to manage apf.

*************
apf --help
APF version 0.9.4 <apf@r-fx.org>
Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org>
Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

usage /usr/local/sbin/apf [OPTION]
-s|--start ............. load firewall policies
-r|--restart ........... flush & load firewall
-f|--flush|--stop ...... flush firewall
-l|--list .............. list chain rules
-st|--status ........... firewall status
-a HOST|--allow HOST ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST|--deny HOST .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

***************

and use subnet mask to block ipranges.

To block ip add them in /etc/apf/deny_hosts.rules.
**************
Advanced trust usage; The trust rules can be made in advanced format with 4
options (proto:flow:port:ip);
1) protocol: [packet protocol tcp/udp]
2) flow in/out: [packet direction, inbound or outbound]
3) s/d=port: [packet source or destination port]
4) s/d=ip(/xx) [packet source or destination address, masking supported]

Flow assumed as Input if not defined. Protocol assumed as TCP if not defined.
When defining rules with protocol, flow is required.

Syntax:
proto:flow:[s/d]=port:[s/d]=ip(/mask)
s - source , d - destination , flow - packet flow in/out

Examples:
inbound to destination port 22 from 24.202.16.11
tcp:in:d=22:s=24.202.16.11

outbound to destination port 23 to destination host 24.2.11.9
out:d=23:d=24.2.11.9

inbound to destination port 3306 from 24.202.11.0/24
d=3306:s=24.202.11.0/24

*************
Go through the README that comes with apf for more information.

If its a single or few IPs dossing you then ask the datacenter to nullroute them

Another solution is to host your server some where with web filtering devices such as a top layer, check out gigeservers.com or coloquest.com.

There's nothing much you can do since the source come from multiple IPs.

If you got the time, block off the whole subnet to reduce the impact for the time being

If need be, move to a datacenter with DDoS protection.

Beside the two other providers mention by D=SNC, Ev1servers had fireslayer that deal with DDoS.

Not much help here, but when you run the apf -st it reads the log file in reverse order. So the information at the top of the listing is what is actually happening, not what's at the bottom.

If you see the time stamp you will realize the stuff at the bottom is older, and vise versa for the info at the top.