From 4fbfa7812022360ffff5b02871b47154d90e77e6 Mon Sep 17 00:00:00 2001 From: tim0n3 <33823820+tim0n3@users.noreply.github.com> Date: Thu, 4 Nov 2021 21:04:29 +0200 Subject: [PATCH 1/3] Update config-shield.go Added iptables rules (might be overkill but better safe than sorry) to save cpu resources when mitigating DDoS ( or to use on low performant hardware) and enabled/disable specific kernel mods for further DDoS mitigation. Also left lots of comments to hopefully accurately explain the reason for the addition/removal of certain configs. I hope this helps improve your project (even though I'm not the neatest --- config-shield.go | 113 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 108 insertions(+), 5 deletions(-) diff --git a/config-shield.go b/config-shield.go index 33dddb3..5f188d7 100644 --- a/config-shield.go +++ b/config-shield.go @@ -120,7 +120,7 @@ for range whitelist { whitelist_text = whitelist_text + whitelist[i1] //fmt.Printf("%s", out) if dryrun == 0 { - exec_shell("iptables -I INPUT -s "+whitelist[i1]+" -j ACCEPT -m comment --comment 'WHITELISTED IP - NSHIELD'") + exec_shell("iptables -I 1 INPUT -s "+whitelist[i1]+" -j ACCEPT -m comment --comment 'WHITELISTED IP - NSHIELD'") } i1++ } @@ -128,16 +128,119 @@ for range whitelist { log.Println("Setting ipt logs..") -exec_shell(`iptables -I INPUT -m limit --limit 40/min -j LOG --log-prefix "nShield: " --log-level 7`) +exec_shell(`iptables -I 2 INPUT -m limit --limit 40/min -j LOG --log-prefix "nShield: " --log-level 7`) if (basicddos == 1 && dryrun == 0) { log.Println("Setting up Basic DDos Protection") - exec_shell("iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP") - exec_shell("iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP") + +/* conntrack will get slaughtered in DDoS esspecially if your drop rules are only in the filter table + try placing the tcp drop rules before they are processed by conntrack i.e. in the prerouting chain. + since the filter table doesn't have a prerouting chain you should use the mangle table. + + the following is just an example for the mangle table prerouting chain (before conntrack) that would also save on some cpu cycles on old/low powered hardware + (think arm SoCs or potato PCs) + that helps block DDoS and portscanners + This is probably overkill but it's a copy-paste from some of my old notes so it might still need testing + + Fi + + + bogus tcp flags () { */ + +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP") +//} + +//OR you could use this from another set of rules which is a little simpler: + /* +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP") +*/ + +//(## I think) portscanners () { +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags ALL NONE -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags RST RST -j DROP") +//} + +exec_shell("iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m recent --set --name DEFAULT --rsource") +exec_shell("iptables -t mangle -A PREROUTING -p tcp -m state --state NEW -m recent --update --seconds 10 --hitcount 25 --name DEFAULT --rsource -j DROP") +exec_shell("iptables -t mangle -A PREROUTING -p icmp -m limit --limit 2/sec -j ACCEPT") +exec_shell("iptables -t mangle -A PREROUTING -p icmp -j DROP") + +//synproxy () { +exec_shell("iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack") +exec_shell("iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460") +exec_shell("iptables -A INPUT -m state --state INVALID -j DROP") +/*} + +You can also use these kernel modifications explicitly to ensure further DDoS mitigation + +To prevent smurf attack. */ +exec_shell("echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts") +exec_shell("echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects") +exec_shell("echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route") + +//Drop source routed packets +exec_shell("echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route") + +//To prevent SYN Flood and TCP Starvation. + +exec_shell("sysctl -w net/ipv4/tcp_syncookies=1") +exec_shell("sysctl -w net/ipv4/tcp_timestamps=1") +exec_shell("echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog") +exec_shell("echo 3 > /proc/sys/net/ipv4/tcp_synack_retries") + +/*Enable Address Spoofing Protection +To prevent IP Spoof. */ + +exec_shell("echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter") + +/*Disable SYN Packet tracking +To prevent the system from using resources tracking SYN Packets. */ + +exec_shell("sysctl -w net/netfilter/nf_conntrack_tcp_loose=0") + + +/* +sources: +https://www.hackplayers.com/2016/04/proteccion-ddos-mediante-exec_shell("iptables.html +https://security.stackexchange.com/questions/4603/tips-for-a-secure-exec_shell("iptables-config-to-defend-from-attacks-client-side + + + */ + //exec_shell("iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP") //updated syntax below + exec_shell("iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "All TCP sessions should begin with SYN" -j DROP") + exec_shell("iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m comment --comment "syn flood" -j DROP") + exec_shell("iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP") // xmas packets port scanning exec_shell("iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP && iptables -A INPUT -p icmp -m limit --limit 1/second -j ACCEPT") exec_shell("/sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0") exec_shell("echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize && /sbin/sysctl -w net/netfilter/nf_conntrack_max=2000000 && /sbin/sysctl -w net.ipv4.tcp_syn_retries=2 && /sbin/sysctl -w net.ipv4.tcp_rfc1337=1 && /sbin/sysctl -w net.ipv4.tcp_synack_retries=1") - } From 6215f4dd0f961f90e8f0a21126b86aa73e331ccb Mon Sep 17 00:00:00 2001 From: tim0n3 <33823820+tim0n3@users.noreply.github.com> Date: Thu, 4 Nov 2021 21:19:49 +0200 Subject: [PATCH 2/3] Update config-shield.go --- config-shield.go | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/config-shield.go b/config-shield.go index 5f188d7..b3a4082 100644 --- a/config-shield.go +++ b/config-shield.go @@ -140,10 +140,7 @@ if (basicddos == 1 && dryrun == 0) { the following is just an example for the mangle table prerouting chain (before conntrack) that would also save on some cpu cycles on old/low powered hardware (think arm SoCs or potato PCs) that helps block DDoS and portscanners - This is probably overkill but it's a copy-paste from some of my old notes so it might still need testing - - Fi - + This is probably overkill but it's a copy-paste from some of my old notes so it might still need testing: bogus tcp flags () { */ @@ -226,14 +223,12 @@ To prevent the system from using resources tracking SYN Packets. */ exec_shell("sysctl -w net/netfilter/nf_conntrack_tcp_loose=0") - + /* sources: https://www.hackplayers.com/2016/04/proteccion-ddos-mediante-exec_shell("iptables.html https://security.stackexchange.com/questions/4603/tips-for-a-secure-exec_shell("iptables-config-to-defend-from-attacks-client-side - - - */ +*/ //exec_shell("iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP") //updated syntax below exec_shell("iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment "All TCP sessions should begin with SYN" -j DROP") exec_shell("iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m comment --comment "syn flood" -j DROP") From 23c88c25937293e158eac6381344530c54b7de12 Mon Sep 17 00:00:00 2001 From: tim0n3 <33823820+tim0n3@users.noreply.github.com> Date: Tue, 9 Nov 2021 14:18:34 +0200 Subject: [PATCH 3/3] Update config-shield.go --- config-shield.go | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/config-shield.go b/config-shield.go index b3a4082..8590870 100644 --- a/config-shield.go +++ b/config-shield.go @@ -137,13 +137,31 @@ if (basicddos == 1 && dryrun == 0) { try placing the tcp drop rules before they are processed by conntrack i.e. in the prerouting chain. since the filter table doesn't have a prerouting chain you should use the mangle table. - the following is just an example for the mangle table prerouting chain (before conntrack) that would also save on some cpu cycles on old/low powered hardware + the following is just an example for the raw and mangle table prerouting chain (beforebefore routing decisions) that would also save on some cpu cycles on old/low powered hardware (think arm SoCs or potato PCs) that helps block DDoS and portscanners This is probably overkill but it's a copy-paste from some of my old notes so it might still need testing: bogus tcp flags () { */ - + // raw rules for before conntrack (saves more cpu than mangle) +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP") +exec_shell("iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT") +exec_shell("iptables -t raw -A PREROUTING -p tcp -m tcp --tcp-flags RST RST -j DROP") + +// mangle rules for before routing decisions but after conntrack (saves more cpu than the filter table's input, forward and output chains) exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP") exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP") exec_shell("iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP")