Re: DoS protection solutions for Debian Servers ?

To: debian-user@lists.debian.org
Subject: Re: DoS protection solutions for Debian Servers ?
From: Michael Kjörling <2695bd53d63c@ewoof.net>
Date: Thu, 14 Mar 2024 07:38:25 +0000
Message-id: <[🔎] 1685dff3-5300-485d-9b6c-5468016dd418@home.arpa>
In-reply-to: <[🔎] 80c5e026-e2d1-49d4-9803-73318b58fd4b@free.fr>
References: <[🔎] 80c5e026-e2d1-49d4-9803-73318b58fd4b@free.fr>

On 13 Mar 2024 20:20 +0100, from jfbachelet@free.fr (Jean-François Bachelet):
> Looking for advice for protecting debian servers from DoS attacks

Denial of service (such as software crashes because of network input),
or distributed denial of service (such as connection or system
overload because of excessive traffic)?

A good start for the former would be to have an easy way to monitor
for and apply software updates quickly throughout your stack.

The latter is almost impossible to defend against once the traffic has
reached the host in question; however, many service providers offer
DDoS protection *before* the traffic even reaches the server or maybe
even the network, which allows soaking up much greater traffic volumes.

So, just for clarity's sake: which is it?


> needless to say that fail2ban isn't enough for this task...
> 
> scripts for firewall too... and tiring to make as hackers responses are
> damn' fast to this.

I could be wrong, but to me this suggests a wrong approach to
firewalling. You should run a default-drop or default-reject firewall,
and only allow the traffic that is explicitly needed to provide the
service that the particular host is supposed to offer. Then there
should be very little need to continuously adapt to attackers' tactics
on the network level.


> what solutions  (free or not) do you debian servers pros use (for pro or
> private servers) ?

Crowdsec is supposed to be quite good; used in a typical fashion, it's
similar to fail2ban, but leverages data on attacks from a large number
of systems. I understand it can be run either locally on your network
or distributing attack data over the Internet also to other users (and
benefit from those users' data as well).

Another thing that might help for non-public services but certainly
isn't a panacea is port knocking and running services on non-standard
ports. I use both myself mostly to cut down on log noise, but it's not
something that most non-technical users can be expected to be able to
deal with; and of course to someone on the network path, it should be
considered essentially plaintext authentication. Still, it does reduce
the impact of background noise scanning.

And of course, again, having a plan and process to apply updates
(especially but not necessarily restricted to security-related
updates) quickly as they become available.

-- 
Michael Kjörling                     🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Reply to:

References:
- DoS protection solutions for Debian Servers ?
  - From: Jean-François Bachelet <jfbachelet@free.fr>

Prev by Date: Re: /boot/grub/grub.cfg hex number reference
Next by Date: Re: Ethernet not working on a Dell notebook
Previous by thread: DoS protection solutions for Debian Servers ?
Next by thread: Re: DoS protection solutions for Debian Servers ?
Index(es):
- Date
- Thread