I have spent the last 3 years working on this. Different configurations, different datacenters, etc; The first thing you will need is a good network. The best ddos protected network I have seen is staminus.
First is to choose your OS. Unless you are real good writing firewall scripts for BSD I would stay away from it. Its very secure and great for shell boxes but there isn’t many tools out there for managing dos plus not many docs or howtos in general for any BSD distro. I have found that the best all around distro for this type of webhosting is centos or fedora. Control panel doesn’t matter because in order to have a good dos resistant box you are gonna need some good hardware if you are going to be hosting multiple sites. Directadmin or Cpanel is best. At least 2 gb ram and any good dual core processor preferably xeon or core2duo.
When your server is provisioned first install and configure your firewall. I highly recommend CSF Full installation docs on the site and in the tar. Its very simple, just install it with install.sh then edit your csf.conf putting in what ports you want to allow incoming and outgoing, put your linkup whether it be eth0 or eth1, eth+ will work if you are not sure. Then find the connection tracking config. You want to set it on about 90-120 connections. Usually a setting like this will not ban legit users but it can ban webmasters working on their sites or uploading lots of single files via ftp. Set the ban to permanent and the interval to 45-60 seconds, during an attack you may wanna take it down to 30 seconds.
Next install my syn-deflate script (modified version of dos-deflate from medialayer) its good for blocking syn floods, especially if they aren’t connected enough to fire csf connection tracking. Its not fully finished but it does work. This will probably never ban legit users, default connection limit is set to 10 which you can set lower if you like down to about 6, no legit users needs to be sending that many syns at once.
Now, the most important step which could mean you staying in your server constantly manually banning ips or god forbid if you happen to be gone for the day your server could be down all day. It’s apache, the fork bombing memory leaking piece of crap, no matter what connection tracking scripts you have once apache reaches a certain limit it just fork bombs and can crash your server. Apache is very easy to dos, even if you ban an ip due to massive connections it will take the timeout limit in order to be accessible again. BUT you do want to have apache up and running before you do this. Install LiteSpeed HTTP server, the Enterprise edition, not the free one. You can download it here and find instructions for installing and converting here Use the trial and then pay for it, Trust me it is well worth the money. It is an amazing server that’s very light on resources while being able to handle storms of dos and tons of traffic without even breaking a sweat keeping the load low at all times. I would not run anything else. Plus you can now host up to 3 times more sites then you normally could with apache.
Once you have litespeed installed you may want to mess with the settings and tuning on it to get things just right, Only in extreme situations do you really need to use the anti-dos features on it. You can also switch back and forth from suphp to normal with one setting. This is good if a php/mysql site like a vbulletin forum is being flooded with get requests, it will limit the amount of php processes it can open up and this can prvent it from getting out of control.
Once you have all of your firewall scripts and litespeed http server setup you can sit back and relax and it should be able to handle lots of attacks without even lagging so you will rarely have to login your server to manually ban ips. Your sites will load faster and your customers will be happy. This kind of protection you have setup for http is what most places are charging thousands for just to protect against http attacks. You will be able to offer it much cheaper and you will not find many people you cannot help unless they are getting multi-gbit attacks that your datacenter is null routing.
Hope this helps someone, good luck!
Related Articles
No user responded in this post