APF + BFD + DDOS + Rootkit detector

With thanks to Powerdomein from Direct-Admin forums:



For a good security on your server install the next modules.

Mod Security: http://www.directadmin.com/forum/sho...y&pagenumber=1

APF = Firewall very easy to config
BFD + Ddos = Detect ddos attacts and blocks the IP
Rootkit= Seach your server for spy and junkware.

HOW TO :


For those who admin a server we all know the pain in the ass of kiddies trying their dos attacks and trying to brute your services. Some people will tell you there is no way to stop either 100% but there is. First and formost you should have a secure and sensible server configuration, you should not have any services running you do not need as the more services are active the more the chance of one being exploitable. Lots of people swear by the apache mod evasive but there are better alternatives as all mod evasive does is give the attacker a 403 error when they make too many requests too fast.

First off ssh to your server as root.
Code:
cd /usr/local/src

Code:
wget http://rfxnetworks.com/downloads/apf-current.tar.gz

Code:
tar -zxf apf-current.tar.gz

Code:
cd apf-0.*

Code:
./install.sh

This will install apf, then you need to set your config paramters

(continued)

Code:
pico -w /etc/apf/conf.apf

Scroll down to the "Common ingress (inbound) TCP ports section. At this point you need to find the correct configuration for your control panel.

-----DIrect Admin-----
IG_TCP_CPORTS="21,22,25,53,80,110,111,143,443,5879 53,2222,3306,32769"
IG_UDP_CPORTS="53,111,631,724,5353,32768,32809"


Find the line for activating antidos, change it to on. Then

Code:
pico /etc/apf/ad/conf.antidos

Then Find devel mode, leave it to 1 to make sure you do not get blocked out, when you know everything is ok come back and turn it off.

There are various things you might want to fiddle with but I'll get the ones that will alert you by email.

# [E-Mail Alerts]
Under this heading we have the following:

# Organization name to display on outgoing alert emails
CONAME="Your Company"
Enter your company information name or server name..

# Send out user defined attack alerts [0=off,1=on]
USR_ALERT="0"
Change this to 1 to get email alerts

# User for alerts to be mailed to
USR="your@email.com"
Enter your email address to receive the alerts

Save your changes! Ctrl+X then press Y
Then Start your firewall to make sure everything is ok.
Apf Usage:
usage apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

Now
Code:
cd /usr/src
Code:

wget http://www.r-fx.ca/downloads/bfd-current.tar.gz

Code:
tar -zxf bfd-current.tar.gz

Code:
./install.sh

The configuration file for BFD is located at '/usr/local/bfd/conf.bfd'; it is
very straight forward and the comments in themself explain what each option
is for. Of the options, you should idealy configure the ALERT_USR toggle to
enable or disable user email alerts and likewise in conjunction configure the
EMAIL_USR var with your email addresses you would like to receive alerts at.

An ignore file is present at '/usr/loca/bfd/ignore.hosts'; this is a line
seperated file to place hosts into that you would like to be ignored for
authentication failures. An internal function will attempt to fetch all
local ip's bound on the installed system and there-in internally ignore
events appearing to be from such addresses.

Now go back to /usr/src

Code:
cd /usr/src

Code:
wget http://www.inetbase.com/scripts/ddos/install.sh

Code:
sh install.sh

The config file is in /usr/local/ddos/ddos.conf , set your max connections, alert and such in there.

The usage is pretty self explanatory

Usage: ddos.sh [OPTIONS] [N]
N : number of tcp/udp connections (default 150)
OPTIONS:
-h | --help: Show this help screen
-c | --cron: Create cron job to run this script regularly (default 1 mins)
-k | --kill: Block the offending ip making more than N connections

Congratulations you now have dos and brute force protection and an easy to use firewall interface.

Rootkit:
How do I install Rootkit Hunter?
Download the gzipped tarball, extract it and run the installation script.

download:
# wget http://downloads.rootkit.nl/rkhunter-<version>.tar.gz
Note: It doesn't matter where you save the tarball

extract:
# tar zxf rkhunter-<version>.tar.gz

installation:
# cd rkhunter
# ./installer.sh


(Source: nix101.com)
(Source: http://www.rootkit.nl/articles/rootkit_hunter_faq.html)