CaptainSlow
11th September 2015, 22:43
Back when I was running our COD servers on Linux, I had these entries in my rc.local file:
# ****sprintf() exploit Fix
iptables -A INPUT -p udp --dport 28962 -m length --length 1000:2000 -j REJECT
iptables -A INPUT -p udp --dport 28963 -m length --length 1000:2000 -j REJECT
iptables -A INPUT -p udp --dport 28964 -m length --length 1000:2000 -j REJECT
# ****UDP Flood Fix
iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
iptables -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
iptables -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
# These commands, for instance, would block external IPs that send queries
# at a rate of 2/second or higher
# add a host to the banlist and then drop the packet.
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
# is this a query packet? if so, block commonly attacked ports outright,
# then see if it's a known attacking IP, then see if it is sending at a high
# rate and should be added to the list of known attacking IPs.
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
# is it already blocked? continue blocking it and update the counter so it
# gets blocked for at least another 30 seconds.
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
# check to see if it exceeds our rate threshold,
# and add it to the list if it does.
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK
# look at all the packets going to q3/cod*/et/etc servers
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
See the comments for what they're used for. I must admit I got it from someone else but I forgot the source. Adding these rules to your rc.local file ensures them to be set every time your server (re)boots.
# ****sprintf() exploit Fix
iptables -A INPUT -p udp --dport 28962 -m length --length 1000:2000 -j REJECT
iptables -A INPUT -p udp --dport 28963 -m length --length 1000:2000 -j REJECT
iptables -A INPUT -p udp --dport 28964 -m length --length 1000:2000 -j REJECT
# ****UDP Flood Fix
iptables -A OUTPUT -p UDP -m length --length 1162:1168 -j DROP
iptables -A FORWARD -p UDP -m length --length 1162:1168 -j DROP
iptables -A INPUT -p UDP -m length --length 1162:1168 -j DROP
iptables -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod
iptables -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP
# These commands, for instance, would block external IPs that send queries
# at a rate of 2/second or higher
# add a host to the banlist and then drop the packet.
iptables -N QUERY-BLOCK
iptables -A QUERY-BLOCK -m recent --set --name blocked-hosts -j DROP
# is this a query packet? if so, block commonly attacked ports outright,
# then see if it's a known attacking IP, then see if it is sending at a high
# rate and should be added to the list of known attacking IPs.
iptables -N QUERY-CHECK
iptables -A QUERY-CHECK -p udp -m string ! --string "getstatus" --algo bm --from 32 --to 41 -j RETURN
iptables -A QUERY-CHECK -p udp --sport 0:1025 -j DROP
iptables -A QUERY-CHECK -p udp --sport 3074 -j DROP
iptables -A QUERY-CHECK -p udp --sport 7777 -j DROP
iptables -A QUERY-CHECK -p udp --sport 27015:27100 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25200 -j DROP
iptables -A QUERY-CHECK -p udp --sport 25565 -j DROP
# is it already blocked? continue blocking it and update the counter so it
# gets blocked for at least another 30 seconds.
iptables -A QUERY-CHECK -m recent --update --name blocked-hosts --seconds 30 --hitcount 1 -j DROP
# check to see if it exceeds our rate threshold,
# and add it to the list if it does.
iptables -A QUERY-CHECK -m hashlimit --hashlimit-mode srcip --hashlimit-name getstatus --hashlimit-above 2/second -j QUERY-BLOCK
# look at all the packets going to q3/cod*/et/etc servers
iptables -A INPUT -p udp --dport 27960:29000 -j QUERY-CHECK
See the comments for what they're used for. I must admit I got it from someone else but I forgot the source. Adding these rules to your rc.local file ensures them to be set every time your server (re)boots.