• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Contribution How to install (D)DoS Deflate and APF (Advanced Policy Firewall) to block bad IPs

MislavO

Regular Pleskian
Hello.

You could probably find tutorials using google, but here it is, at one place.

Before few days I had problems with one of the servers I administrate and situation on the server was as follows:
- totally slow network, websites loading was 10-20sec (30)
- at first I though, ok, slow loading, server load is high and some client is doing problems
- after connecting to the server and checking statistics - server CPU was all the time on 20-30%, memory was fine, all services were up-and-running so where is the problem?
- server wasn't on latest #MU, it was just missing 2-3 updates (I'm talking about plesk 11.5) and I could saw in history of changes no security updates whatsoever, but what ever, lets give it a try - nothing, didn't helped
- i did apt-get update && upgrade - still nothing
- current status was that everything is up-to-date, however there are still problems
- listing connections on the server with command:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
- there was so many connections from few IPs that I was like wow...after blocking them, server status was normal again (probably some kind of DDOS attack)

At this point, since Plesk doesn't have something like CSF on cPanel, I knew I need something to block this "bad" IPs or at least the ones with a lot of connections automatically, without me doing it manually.

After using google, searching and reading documentation, I've installed successfully (D)DOS Deflate and APF (Advanced Policy Firewall).

What is (D)DOS deflate?
http://deflate.medialayer.com/

What is APF (Advanced Policy Firewall)?
https://www.rfxn.com/projects/advanced-policy-firewall/

What can you do with this two/what do they do? For start, please do take 5-10mins and read above what they are.
- you can setup cron to run every X minute to check for connection number (I personally run script every minute, why not? it lists only IP addresses and that takes few seconds, there is no load on your CPU, you can even set-up it to run with command nice, if you want to)
- script is automatically blocking IP address if there are more then XX connections from it - you specify the number in configuration (more later)
- you can at any time unblock/block current/new IP address (more later) // make sure you whitelist your local IP address from office or local network range or you might end up like me blocked and then laugh hahaha, well, good thing is I could switch to another internet provider and change IP and then connect to the server->unblock myself->whitelist myself
- email is sent you (root)
- you choose ban period (in addition you can block whole IP/network range with APF permanently - more later)
- with APF you choose what ports you would like to open on the servers, all other ports will not work, firewall
- if I forgot something, I will probably mention later on when explaining everything

Installation:
(D)DOS Deflate:
# wget http://www.inetbase.com/scripts/ddos/install.sh
# chmod 0700 install.sh
# ./install.sh

APF (Advanced Policy Firewall):
# wget http://www.rfxn.com/downloads/apf-current.tar.gz
# tar xfz apf-current.tar.gz
# cd apf-9.*
# ./install.sh

After installation, lets configure settings.

First, lets edit "Deflate" conf:
# nano /usr/local/ddos/ddos.conf

- config file will look like this one:
##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1

##### An email is sent to the following address when an IP is banned.
##### Blank would suppress sending of mails
EMAIL_TO="root"

##### Number of seconds the banned ip should remain in blacklist.
BAN_PERIOD=3600

Change following as follows:
- NO_OF_CONNECTIONS - I choose something like 150; I think that is pretty high number and everything above that should be blocked - you can set this lower, lets say, 75-150, but don't go to anything above 300 or 500, that is way too much!
- APF_BAN - leave this on 1, as we configure APF for this one
- EMAIL_TO - email will come to your email, if you ofcourse, want to receive emails (I don't see why not, create new folder in your mail, filter messages as there might be a lot of them)
- BAN_PERIOD - I strongly suggest that you set to something like 1800-3600 (30-60mins), don't set this number very low, better to set higher number, if customers will complain, if some of them get blocked, you can unblock them in a matter of second, question is, what were they doing to get e.g. 300 connections to get blocked?

Now, lets configure APF conf:
- this conf is really good commented by default, so you can read it
- before going in config file, you'll need to use command "ifconfig" in order to find out under which ethX you're running (most likely eth0 or eth1, but it can be different)
- since the file is pretty big, I will post just things that are mandatory in other to make it work and have it up-and-running

# nano /etc/apf/conf.apf (find variables and replace them)
- DEVEL_MODE="0" (set this option to 1 until you're happy with the settings)
- IFACE_IN="eth0" (set this to whatever is result from ifconfig)
- IFACE_OUT="eth0" (same as IFACE_IN)
- IG_TCP_CPORTS="21" (make sure you include here all email ports, SSH port, website ports, because if you leave default value here, no website/email will be working on the server) - mine is set to something like this:
IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000,8443,8449,3306,465,995,587"
- same goes for variable IG_UDP_CPORTS, EG_TCP_CPORTS, EG_UDP_CPORTS

_____

Lets try to start everything and DEBUG:
- Restart DDos Deflate
# cd /usr/local/ddos/ && ./ddos.sh -c
./ddos.sh: 13: [: /usr/local/ddos/ddos.conf: unexpected operator
DDoS-Deflate version 0.6
Copyright (C) 2005, Zaf <[email protected]>

$CONF not found.
- great, error before we started...lets fix it
# nano /usr/local/ddos/ddos.sh

- as error said, line 13 is the problem:
if [ -f "$CONF" ] && [ ! "$CONF" == "" ]; then
change it to
if [ -f "$CONF" ] && [ "$CONF" != "" ]; then
- save the with changes and restart Deflate again:
# cd /usr/local/ddos/ && ./ddos.sh -c
./ddos.sh: 14: ./ddos.sh: source: not found
crond: unrecognized service
./ddos.sh: 72: ./ddos.sh: cannot create : Directory nonexistent
./ddos.sh: 73: [: -le: unexpected operator
./ddos.sh: 76: ./ddos.sh: let: not found
./ddos.sh: 77: ./ddos.sh: let: not found
./ddos.sh: 78: ./ddos.sh: let: not found
./ddos.sh: 79: ./ddos.sh: cannot create : Directory nonexistent
crond: unrecognized service
- on some distributions and OS this will work, but I'm running here Debian 7 and there is no crond startup, just cron, so lets edit the file again:
# nano /usr/local/ddos/ddos.sh
- find and replace all crond with cron (only if you have this error) - on line 70, 81 you will see "service crond restart", change it to "service cron restart"
- save the file and exit
- restart Deflate again with:
# cd /usr/local/ddos/ && ./ddos.sh -c

- now we've successfully restart Deflate, lets start APF now with command:
# /usr/local/sbin/apf -s

There are also other commands/parameters you can use:
-s - start APF
-r - restart APF
-f - stop APF (if something is not working, stop the APF immediatelly, debug later)
-l - list statistics
-st - status of APF
-u - unban IP (in case you want to unban some IP that is already banned and you see it when running "/usr/local/sbin/apf -l", syntax is "/usr/local/sbin/apf -u IP")
-a host - allow connections from "host" (e.g. if you can to whitelist IP, example: /usr/local/sbin/apf -a XX.XX.0.0/16 - you can include just single IP or whole network)
-d host - deny connections from "host" (same as above example, you're just using -d)

How do you know if this is working? Simply check the connections from IP with command:
# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

If you've setuped email in ddos.conf and there is IP that is greater then defined NO_OF_CONNECTIONS, you will receive email. You can also see that IP in file "/etc/apf/deny_hosts.rules" on the bottom of the file (please note that IP will be in file only long as you specify BAN_PERIOD).

If you need to unblock the IP address, simple remove line in "/etc/apf/deny_hosts.rules" and restart APF with command:
# /usr/local/sbin/apf -r

To make everything work, setup cron under your root user as follows:
* * * * * cd /usr/local/ddos/ && ./ddos.sh (this will check for new IP connections and block them - setting cron is MANDATORY, however schedule it by your needs)

Please read their comments in configuration carefully if you're changing something that I didn't mention here.

Feel free to ask any question. I will update this topic in case I find something additional that could be usefull.

EDIT 1 - 27/2/2014:
- find attached tutorial below (add_banned_ip_in_subject.txt) and check comment #2 for changes
 

Attachments

  • add_banned_ip_in_subject.txt
    2.3 KB · Views: 44
Last edited:
Hi there, thank you.

I've updated my first post and I added modified add_banned_ip_in_subject.txt. "How to do it" is explained as well in the file.

Since there is a limit of 10k characters, I'm posting here changes.

Changes - nothing special, I just added few lines to have banned IP address in the subject as well, so you can sort later way more easy all emails and blacklist IP address if you see that the same is getting blocked almost every day, few times.
- by default, you will receive email with subject looking like this:
IP addresses banned on Wed Feb 26 06:59:01 GMT 2014
- now, with modifications, you will receive with:
IP addresses banned on Thu Feb 27 10:38:02 GMT 2014 - XXX.XXX.XXX.XXX
- banned IP will be in subject
 
I use Debian and my running this well:

./ddos.sh: 14: ./ddos.sh: source: not found
[....] Restarting periodic command scheduler: cron[....] Stopping periodic comma[ ok heduler: cron.
[ ok ] Starting periodic command scheduler: cron.
./ddos.sh: 72: ./ddos.sh: cannot create : Directory nonexistent
./ddos.sh: 73: [: -le: unexpected operator
./ddos.sh: 76: ./ddos.sh: let: not found
./ddos.sh: 77: ./ddos.sh: let: not found
./ddos.sh: 78: ./ddos.sh: let: not found
./ddos.sh: 79: ./ddos.sh: cannot create : Directory nonexistent
[....] Restarting periodic command scheduler: cron[....] Stopping periodic comma[ ok heduler: cron.
[ ok ] Starting periodic command scheduler: cron.

Is this normal?
 
I'm currently on vacation, but I'll check this out, but no, this is not normal. I will check what exactly is on this lines - restart was succesful, not sure though about this 'let' and what kind of directory need to be created/does not exists.
 
Well, CSF is far better solution then this one to be honest, I'm using CSF on our cPanel servers.

Anyway, I've tested this on our server running Debian 7 and I can't reproduce the above (your) errors. What version are you using?
 
Have uninstalled and am using the CSF with an adaptation Deflate.

So far this well, more my problem is the DDoS, since working with games, I will hire a company specializing in the game, with better protection.

Thank you for your attention.
 
I have tried this twice and each time I have the same problem. Running netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n will sort the connections by IP and number of connections but at the top of the list is always a single number: See below.

2 xxx.xxx.xxx.xxx
5 xxx.xxx.xxx.xxx
6 xxx.xxx.xxx.xxx
76 xxx.xxx.xxx.xxx
78

Then I will get an email that says:

Banned the following ip addresses on Wed Sep 10 09:26:01 EST 2014

78 with 78 connections


This repeats over and over with different numbers. How do I fix this? What would cause this?
I would love to use the script again but until this stops I can't.
 
Please be so kind and go to:

# nano /usr/local/ddos/ddos.conf

Locate the line
##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=XX

I assume you have value here less then 60-70. If that is the case, increase number of connections, save the file and run:
# cd /usr/local/ddos/ && ./ddos.sh -c

to restart service.
 
Thank You. Please let us know if you would like any open source project to be integrated to Plesk as an extension.
 
The DDOS Deflate was built as per suggestion received by Andrey of the Parallels Team. However, if you can suggest us a project; and if it is built and delivered by us, we will be happy to give you discounted lifetime offer on the same.

And in case of the DDOS Extension, we can give you a free 1 month. Please register with us at: https://admin-ahead.com/portal/register.php and open a ticket and I will have it cleared for you.
 
The DDos Deflate Plesk Extension from Admin-Ahead is one of the nicest thing that I have found for Plesk.
I use it with the APF extension. Just amazing.
And by the way, they give an Outstanding Support. I'm glad I found this tread. Thanks!
 
Back
Top