-1

I have a linux webhosting server which affects a high DDOS. I want to use Cisco ASA 5500 Series Adaptive Security Appliances to protect the linux server from this DDOS. I know there are many factors should you know before you choose the suitable hardware firewall like the amount of this DDOS and pps ..etc

Please suggest a linux tools to measure those factors and to help me collect the required informations ( pps - amount of DDOS - concurrent connections and other factors )

Regards,

linuxcore
  • 11
  • 3
  • This is not a question we can answer for you. For some of the reasons see [this question about capacity planning](http://serverfault.com/q/384686) -- The hardware you need depends on your traffic volume, type (high-packets or high-bytes), the kind of attack(s) you want to defend against, etc. // You also need to consider whether your ISP and network connection can handle a denial of service attack, which is a discussion you should be having with your ISP. It's always better if they can block the attacks before they reach your network... – voretaq7 Jul 28 '12 at 04:09

1 Answers1

1

There are plenty of linux tools to help you collect information on DDOS and other attacks.

One simple free solution is Fail2Ban.

Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (for example, iptables or TCP Wrapper).

Example of protecting Apache:

Edit /etc/fail2ban/jail.conf to add:

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 300
findtime = 300
#ban for 25 hours
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Next, create the file: /etc/fail2ban/filter.d/http-get-ddos.conf:

# Fail2Ban configuration file

[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^ -.*GET

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Check /var/log/fail2ban.log for notifications and to see if it's working properly.

http://www.fail2ban.org/wiki/index.php/HOWTOs

에이바
  • 612
  • 4
  • 11
  • 34
  • @에이바 Thank you, But could you please tell me what is the most important factors with it's linux tools to choose the suitable model .? like a pps or the a mount of incoming traffic ..etc – linuxcore Jun 04 '12 at 17:17
  • That is a very subjective question and largely depends on what is most important for your needs... Think about these questions first: How much traffic does your application or site receive? How sensitive is the data that passes through it? How many servers do you have -- how many can afford to go offline and for how long? You need to figure out what your needs are before you can decide what the best tools to use are. – 에이바 Jun 04 '12 at 17:24
  • 1
    @에이바 I hope providing me with network tools to calculate ( Incoming DDOS traffic - Packets per seconds - Connectios per second ) – linuxcore Jun 04 '12 at 17:28