Separate names with a comma.
Discussion in 'Tutorials and Guides' started by Francisco, Feb 18, 2014.
Alright, ill start working on that now
As per @Francisco's suggestion I have changed how I lookup a bridge.
wget http://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -
wget https://cdn.content-network.net/Mun/apps/frantp/0.6a/script.sh -O - | bash -
if [ -a "/proc/sys/net/bridge/bridge-nf-call-iptables" ]; then
# This allows us to check if the bridge exists in a more appropriate way.
First they came for the Socialists, and I did not speak out-- Because I was not a Socialist.
Then they came for the Trade Unionists, and I did not speak out-- Because I was not a Trade Unionist.
Then they came for the Jews, and I did not speak out-- Because I was not a Jew.
Then they came for me--and there was no one left to speak for me.
Instead of looking for the next get rich quick scheme remember when a good portion of the net went dark because this exploit was used to take level3 offline. Food for thought.
Has anyone seen any issues with conntrack as a result of this fix?
Not on our nodes, no.
Thank You for sharing this Francisco
So help a sad person out...
net.ipv4.ip_forward = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic = 10
net.bridge.bridge-nf-call-iptables = 1
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
So is the issue the CentOS version?
Is it an OpenVZ node or a KVM?
sysctl -a | grep bridge
If there's not a bridge set up, then that key won't exist. On OpenVZ nodes, there shouldn't be a bridge.
Thanks for sharing this! Also, make sure your conntrack tables don't fill up =)
What version are you using to run this, I assume you are using the script. As of current Magiobiwans script simply throws it in place, as did my initial versions. If you use 0.6a You shouldn't have that issue. I also suggest you remove the 'net.bridge.bridge-nf-call-iptables = 1' from your /etc/systl.conf if you aren't using openVZ as you don't need it.
A late addition to the thread:
iptables -A FORWARD ! -f -p udp -m multiport --ports 123 -m u32 --u32 "0>>22&[email protected]&0xFF=42" -j DROP
Will block all UDP monlist packet IN or OUT allowing you to also stop any MONLIST packets that may leak through hardware protection (of course this is not a substitute for good protection).
A slightly altered variant of this rule has been tested with a stresser
Great work seems good way.
Is this work with openvz OS ??
This just stops your VM's from being used to DDOS other people, it won't stop NTP floods from hitting you straight in the face.
Helpful tutorial, thanks.
Is there any way to stop DNS amplification attack? Any tutorial on this, would be highly appreciated.