Editing a config file through SSH

Media999

Hi Folks,

Im trying to learn here :rolleyes:

In order to install DDOS protection i have to edit a config file through SSH but how do i save it? I can scroll down through it and edit it but how do i actually save it? If i just close trhe window and go back in it says there is a swap fill which isnt the one i edited its just the original.

Thanks

srsly78

Depends what editor you are using.

Are you using vim? Then press esc then colon, then wq enter to save and suit. Otherwise read documentation for whatever other editor you are using.

You haven't even told us the OS either -.- SSH is just a method of connecting (to anything), tells us nothing.

Media999

Its a linux server. Cent OS

Is there any way of installing a simple text editor or even an easier editor?

I think its vim as i type vm then filename to edit file.

Colonel Panic

Use nano. it's the simplest editor. Ctrl - o writes out the edited file, Ctrl - x closes nano and prompts you to save changed files. Launch it as root or use sudo to edit config files.

What are you installing? I suggested Fail2Ban in another thread, so I'm guessing that?

Media999

How do i actually install nano and Fail2ban?

I assume its by putting something like wget http://xxxxxxxxx or something. Thats how i installed ddosdeflate.

I know F""k all about SSH commands and linux servers. Really never needed to know it until some Jackass decided to DDOS me.

Colonel Panic

They're not ssh commands. Ssh is a protocol you use to connect to a terminal on your Linux server.

Regarding how to install nano and the like, does your provider have a guide for Centos? The easiest way usually involves using a package manager that is distro specific to get and install programs and their dependencies. My dedicated server uses Ubuntu, so all of that's taken care of for me.

A quick google says Centos uses a package manager called Yum. So have a look at how you install stuff with that. At a guess, try

yum install nano

??

If you used wget to fetch ddosdeflate and did nothing else, then are you sure you installed it?

Media999

Sorry yes i ran a couple of commands after that

wget http://www.inetbase.com/scripts/ddos/install.sh
chmod 0700 install.sh
./install.sh

if i go vi /usr/local/ddos/ddos.conf it brings up a config file

##### Paths of the script and other files
PROGDIR="/usr/local/ddos"
PROG="/usr/local/ddos/ddos.sh"
IGNORE_IP_LIST="/usr/local/ddos/ignore.ip.list"
CRON="/etc/cron.d/ddos.cron"
APF="/etc/apf/apf"
IPT="/sbin/iptables"

##### frequency in minutes for running the script
##### Caution: Every time this setting is changed, run the script with --cron
##### option so that the new frequency takes effect
FREQ=1

##### How many connections define a bad IP? Indicate that below.
NO_OF_CONNECTIONS=150

##### APF_BAN=1 (Make sure your APF version is atleast 0.96)
##### APF_BAN=0 (Uses iptables for banning ips instead of APF)
APF_BAN=1

##### KILL=0 (Bad IPs are'nt banned, good for interactive execution of script)
##### KILL=1 (Recommended setting)
KILL=1
"/usr/local/ddos/ddos.conf" 30L, 971C

All i really want to do is lower the connections and make it run off itables as i dont seem to have APF installed.

Media999

Getting somewhere now thank god. Installed nano and was able to modify and save it. Lets see if it actually works. Idea being if someone opens 100 connections at the same time it bans them for 5 mins.

Colonel Panic

Good stuff, you might need to restart the ddos deflate service after you edit the config, or at least reload the config file.

Media999

Getting emails every few mins saying its banning IPs so hope it works. Site is accessible anyway.

ChRoMe

Media999 wrote: »

Getting emails every few mins saying its banning IPs so hope it works. Site is accessible anyway.

Is it probable for a large amount of users behind the same IP to access your site at the same time? I'm just curious how you came up with the number of 100 connections. You should be very careful about verifying you are stopping actual attacks and not random users.

GreeBo

ChRoMe wrote: »

Is it probable for a large amount of users behind the same IP to access your site at the same time? I'm just curious how you came up with the number of 100 connections. You should be very careful about verifying you are stopping actual attacks and not random users.

Big time.
You could be blocking an ISP

Stuxnet

quite alarming that somebody is allowed run sudoer or root that doesn't know how to install a package or edit a file ?

Colonel Panic

Quite alarming that you can pay money for something and not know how to work it?

Media999

ChRoMe wrote: »

Is it probable for a large amount of users behind the same IP to access your site at the same time? I'm just curious how you came up with the number of 100 connections. You should be very careful about verifying you are stopping actual attacks and not random users.

I was monitoring netstat and no one went anywhere near 100 except the same ip which was DDOSing the site. All it does is ban the IP for 5 mins anyway so not a big deal if it accidentally bans a regular as they can just let me know but no complaints so far. Pretty certain its not a whole ISP.

Its actually a forum which ive banned a Latvian spammer from recently. First IP was from Latvia then it started changing to proxies after i blocked it. Fairly certain its just some clown with a grudge and proxies.

Stuxnet wrote: »

quite alarming that somebody is allowed run sudoer or root that doesn't know how to install a package or edit a file ?

How did you learn without starting somewhere?

Creamy Goodness

Media999 wrote: »

How did you learn without starting somewhere?

Probably like most of by having a development environment or virtual box where we can completely trash and restart it within 5-10 minutes as opposed to doing anything we're not comfortable doing in a development environment on production servers.

Media999

I get your point but it makes more sense to me to just jump in and put a site online. Causing no hassle to anyone and learning while i go. Taught myself HTML, CSS and put a site online that just happened to become really popular. Needed a bigger server and got a good deal on a Dedicated server.

ChRoMe

Media999 wrote: »

I was monitoring netstat and no one went anywhere near 100 except the same ip which was DDOSing the site. All it does is ban the IP for 5 mins anyway so not a big deal if it accidentally bans a regular as they can just let me know but no complaints so far. Pretty certain its not a whole ISP.

Its near guaranteed, you will have users coming from the same IP, at some stage, which will cause a false positive on the DDOS bans. Its going to be rare for users to contact you about it, I'd strongly suggest logging verbosely for a while and reviewing those logs.

GreeBo

ChRoMe wrote: »

Its near guaranteed, you will have users coming from the same IP, at some stage, which will cause a false positive on the DDOS bans. Its going to be rare for users to contact you about it, I'd strongly suggest logging verbosely for a while and reviewing those logs.

I'd just up the limit, if its someone doing a DDOS then they will hit 500 whereas a normal user wont...

srsly78

If it's just a single ip then how is this a ddos? I bet someone has just left "ping -t ops-host.com" running.

gctest50

srsly78 wrote: »

If it's just a single ip then how is this a ddos?.

Spoofed source address ddos ?

And if your not following this advice :

ChRoMe wrote: »

Its near guaranteed, you will have users coming from the same IP, at some stage, which will cause a false positive on the DDOS bans. Its going to be rare for users to contact you about it, I'd strongly suggest logging verbosely for a while and reviewing those logs.

it'd be easy for a competitor to get your own server to block lots of your potential "customers"

FruitLover

gctest50 wrote: »

Spoofed source address ddos ?

The point he's getting at is that the first 'D' in 'DDoS' stands for 'distributed'. If it's a single IP then it's not distributed, it's just a DoS attack, which is relatively easy to defeat. Distributed attacks are far more difficult to defend against.

Media999

Basically as soon as one ip is blocked a while later another IP is used. As if someone is just realising its blocked and swapping to another proxy. When i google the IPs there coming up as known proxies for Gaming and Project Honeypot Spam.

What i have done in the end is Use DodDeflate which now bans anyone that connects over 200 times. Problem with that is it only runs every 60 seconds so a person has 60 seconds to hit hard and take down the server before its banned.

So with that i had to use this command here which drops connections

/sbin/iptables -I INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset

Seems to work so far as sites been up since i ran it.

Jaden

There's a load of us on biker.ie who will help you out. Just sayin'.

PM me if you need any more help. Or just post here, they're a pretty decent bunch here,

gctest50

gctest50 wrote: »

Spoofed source address ddos ?

FruitLover wrote: »

The point he's getting at is that the first 'D' in 'DDoS' stands for 'distributed'. If it's a single IP then it's not distributed, it's just a DoS attack, which is relatively easy to defeat. Distributed attacks are far more difficult to defend against.

yip, just ask all yer bots nicely to spoof their source address

better : write them so they spoof from a list you carefully put together


Might be of some use :

https://www.dan.me.uk/dnsbl