I have a linux webhosting server which affects a high DDOS. I want to use Cisco ASA 5500 Series Adaptive Security Appliances to protect the linux server from this DDOS. I know there are many factors should you know before you choose the suitable hardware firewall like the amount of this DDOS and pps ..etc
Please suggest a linux tools to measure those factors and to help me collect the required informations ( pps - amount of DDOS - concurrent connections and other factors )
Regards,
There are plenty of linux tools to help you collect information on DDOS and other attacks.
One simple free solution is Fail2Ban.
Fail2ban is an intrusion prevention framework written in the Python programming language. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally (for example, iptables or TCP Wrapper).
Example of protecting Apache:
Edit /etc/fail2ban/jail.conf to add:
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 300
findtime = 300
#ban for 25 hours
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
Next, create the file: /etc/fail2ban/filter.d/http-get-ddos.conf:
# Fail2Ban configuration file
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^ -.*GET
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Check /var/log/fail2ban.log for notifications and to see if it's working properly.
