I think these solutions are specific to RedHat/CentOS 7.
In the end these are all what I end up with:
These needs to be put in /etc/csf/csfpre.sh (create if not exist):
Code: Select all
## Mitigating TCP flood attacks
iptables -A INPUT -m state --state INVALID -j DROP
## Mitigating SYN flood attacks
# Port 80 (HTTP)
iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 80 -j CT --notrack
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state INVALID -j DROP
# Port 433 (HTTPS)
iptables -t raw -I PREROUTING -i eth0 -p tcp -m tcp --syn --dport 433 -j CT --notrack
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 433 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 433 -m state --state INVALID -j DROP
## Protection against port scanning
iptables -N port-scanning
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
iptables -A port-scanning -j DROP
If you only need SYN flood attacks mitigation, it's fine to leave out the others. They're all independent from each other.
The steps below may be the bits that are actually specific to RedHat/CentOS 7.
However, it's necessary to run the following commands before reloading csf with those new changes:
Code: Select all
# More strict conntrack handling to get unknown ACKs (from 3WHS) to be marked as INVALID state (else a conntrack is just created)
/sbin/sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
# Enable timestamping, because SYN cookies uses TCP options field
/sbin/sysctl -w net/ipv4/tcp_timestamps=1
# Adjusting maximum number of connection tracking entries possible (288 * 2000000 / 10^6 = 576.0 MB)
/sbin/sysctl -w net/netfilter/nf_conntrack_max=2000000
# IMPORTANT: Also adjust hash bucket size for conntracks (8 * 2000000 / 10^6 = 16 MB)
sh -c 'echo 2000000 > /sys/module/nf_conntrack/parameters/hashsize'
Consider noting down their original values.
The size mentioned in the 3rd command is simply a theoretical max memory usage assuming all 2M entries are populated.
It will NOT actually pre-allocate them as a whole, but feel free to adjust them according to your needs.
I'm not sure about the 4th command, but it appears to be necessary to increase it regardless.
The article I link below suggests just 1M, but the GitHub repo suggests 2M.
https://www.redhat.com/en/blog/mitigate ... nux-7-beta
https://javapipe.com/blog/iptables-ddos ... onus-rules
note: Using SYNPROXY rules from the reference above as-is, did NOT work for me on CentOS 7.
I'm guessing the 4 commands above were required to get it working with theirs as well.