elective-stereophonic
elective-stereophonic
Node hardening! [Update 8/18/2014]
singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Author Topic: Node hardening! [Update 8/18/2014]  (Read 4551 times)

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Node hardening! [Update 8/18/2014]
« on: July 22, 2014, 04:57:43 pm »

DDoS Protection Outline

The Why
Generally speaking, there is not much an individual can do to protect against a large scale DDoS attack without expensive hardware to handle it. They can increase the size of attack they can handle but without proper hardware it won't make much of a difference; their server will still fail. However, in a peer to peer network with many nodes, each little bit adds to the threshold that the network can handle. If every node can handle an additional 20,000 bytes per second in a 200 node network, that is an additional 4,000,000 bytes per second of an attack the peer to peer network can handle and that makes a difference.

The What
In this outline I will provide tips and links with instructions on how to get the most DDoS resilience out of your node so that together we may have a stronger, safer, NXT Network.

The Basics

Choose a Simple OS (Difficulty Level: Very Easy)
The less you have on your OS, the less security flaws there are to exploit. It is simple as that. Always install the bare minimum of the OS you are using. Typically, for Linux, this will be the server edition and/or will have "minimal" in the name.

Use Full OS Encryption if Possible (Difficulty Level: Very Easy - Very Hard)
Full OS encryption (with a strong password) will help prevent attackers from compromising your machine by remotely accessing your hard drive. On some OSs, this is something you are asked if you want to do during the install process, on others you have to do it manually.

TODO: Give specific details on how to do this for a variety of OSs.

No Wifi (Difficulty Level: Very Easy)
Wifi cards are limited in how much data they can handle per second, and while your wifi may seem fast, it is slow compared to a direct hookup with your router. A direct hookup to the internet can handle a significantly larger attack than a wifi hookup. If you are connected directly to your router, it is likely that the only limit to handling a DDoS attack will be set by your computer itself rather than the connection it has.

DNS Handling (Difficulty Level: Intermediate)
DNS is short hand for "Domain Name Server." They are the servers that translate "www.nxtforum.org" into an IP address that your computer can connect to. Normally, your computer has to wait for a an IP address from its DNS every time it visits a website. This slows it down and eats up bandwidth which makes it more vulnerable to DoS attacks. In this section, I will outline how to prevent this as much as possible as well as secure DNS requests with encryption to help prevent spying. This is done with two programs, DNSMasq and DNSCrypt.

Setting up and configuring DNSCrypt
First you need to install DNSCrypt. This can be done in three commands. But first, switch over to the root account:

Code: [Select]
sudo su
Then enter the following three commands:

Code: [Select]
add-apt-repository ppa:anton+/dnscrypt
apt-get update
apt-get install dnscrypt-proxy

Now that DNSCrypt is installed, need to make a special user for it to run as. Just in case the home directory we are going to use doesn't exist, we will make it with the following command:

Code: [Select]
mkdir /run/dnscrypt
If you get an error stating that the directory already exists, it is fine; move on to making the user.

The username of this user should be ordinary and not indicate that it is used for DNSCrypt in any way. Name it after a friend or a pet and add 2-4 numbers at the end or beginning. Now enter the following command and replace "[Username]" with the username you decided on:

Code: [Select]
adduser --system --quiet --home /run/dnscrypt --shell /bin/false --group --disabled-password --disabled-login [Username]
You will probably get a warning saying that the user doesn't own the home directory. Fix this with the following line of code (again replacing "[Username]"):

Code: [Select]
chown [Username]: /run/dnscrypt
Now we need to configure DNSCrypt. Open the configuration file using nano with the following command:

Code: [Select]
nano /etc/default/dnscrypt-proxy
When you are modifying lines in this file, if they start with any number of #'s, delete the #'s. Only do this for lines you are changing!

First, change the line that starts off "user=" to contain the username you chose. It should look like "user=[Username]" when you are done.

Now, change the line "local-address=" to have a value other than "127.0.0.1" so it won't conflict with DNSMasq once that is set up. Keep it in the "127.0.0.X" family (where X is a number between 0 and 255) so it won't accidentally conflict with a real IP address. "127.0.0.2" would work just fine. Write this down somewhere as you will need it when setting up DNSMasq.

Next, you go to a website:

https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

On this website, search for a DNS server that is, most importantly, marked as having "No Logs" and having "DNSSEC Validation." Among these candidates, select the server you think is closest to you geographically.

Back in nano, find a line starting with "resolver-address=" that does not have a # in front of it (there should be one without any #'s). Change the value after the equals sign to the value in the "Resolver Address" column on the web page I liked you to that lines up with with the DNS server you chose. Do the same thing for "provider-name" and "provider-key" using the values from the "Provider Name" and "Provider Key" columns on the web page respectively.

Save the file (Ctrl+O) and exit nano (Ctrl+X). Next, we want to make sure that this runs on startup. Enter the following command:

Code: [Select]
nano /etc/rc.local
Add the following two lines BEFORE the line that says "exit 0" but replace "[Username]" with the username you chose for DNSCrypt:

Code: [Select]
mkdir /run/dnscrypt
dnscrypt-proxy --daemonize --user=[Username]

Save the file (Ctrl+O) and exit nano (Ctrl+X). You should be good to go!

Installing and Configuring DNSMasq
The next, step is getting DNSMasq set up. First we have to install it:

Code: [Select]
apt-get install dnsmasq
Next, we have to configure it. Enter the following to bring up its configuration file in nano:

Code: [Select]
nano /etc/dnsmasq.conf
Press Ctrl+W and type in "listen-address=" then press "Enter" to find the right line. If there are any #'s in the same line, go ahead and delete them. Change the line to look like this:

Code: [Select]
listen-address=127.0.0.1
Press Ctrl+W and type in "proxy-dnssec" then press "Enter" to find if the line exists. If it does exist and any number of #'s are in the same line as it, delete the #'s. If it doesn't exist, start a new line and type it in. If it exists with no #'s, leave it alone. Either way, you should have a line that looks like this when you are done:

Code: [Select]
proxy-dnssec
Next, do the exact same thing for the that phrase "no-resolv" and by that I mean Ctrl+W search it; if you find it delete any #'s and if you don't make a new line and type it in. Finally, Ctrl+W and look for "server=" to set the last configuration option. Look around and make sure that there isn't line starting like that without any #'s around. Then pick a line that starts with "server=" and set it equal to the IP address you wrote down when configuring DNSCrypt.

Save the file (Ctrl+O) then exit nano (Ctrl+X). DNSMasq is now configured to run through DNSCrypt!

Final Steps
Now, all you need to do is restart DNSCrypt:

Code: [Select]
restart dnscrypt-proxy
then restart DNSMasq:

Code: [Select]
/etc/init.d/dnsmasq restart
and... It should be working! To test it, enter the following command:

dig nxtforum.org

If you get anything other than an error, it worked; you are now running you own DNS Cache with information received over and encrypted connection! If you do get an error for some reason (like not following instructions), enter the following two lines of code and start over:

Code: [Select]
apt-get purge dnsmasq
apt-get purge dnscrypt-proxy

iptables Configuration (Difficulty Level: Intermediate)

If your server has iptables on it... USE IT! I know digital ocean uses it and any linux systems will have it. If you are going to configure iptables for your server, do it in the order I provide here. The order is important.

Flush current iptables rules
Just to be safe, get rid of all current iptables rules so you can set up the new rules do this by issuing the command:

Code: [Select]
iptables -F
Drop common attacks
Issue the following code to drop common attacks with iptables:

Code: [Select]
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

This code drops all incoming null packets, all incoming syn packets, and all incoming XMAS Packets

Allow local host
You want port 7874 to be open to accept information and you may also want local host to be open if you plan on using the API or UI servers on your node.

Code: [Select]
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Limit the number of connections a single IP address can have
Thank you, rigel, for this improvement!
Use the following code to limit the number of connections a single ip address can have and how many they can make per second:

Code: [Select]
iptables -A INPUT -m connlimit --connlimit-above 10 -j DROP
iptables -A INPUT -m hashlimit --hashlimit-name LIMIT --hashlimit-burst 10 --hashlimit-above 1/second --hashlimit-mode srcip --hashlimit-htable-expire 10000 -j DROP

(Optional) Open Port 7874
If you want your node to be public, you will have to open up port 7874.
Code: [Select]
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 7874 -j ACCEPT

TODO: Find the standard strings that are sent using from peers using NXT and drop all others to maximize security on port 7874.

(Optional) Allow Pings
This (I think) is no threat. Someone correct me if I am wrong. Not allowing pings may affect your ability to be found, but again, I am not sure so I need to be corrected here.

Code: [Select]
-A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT

Default Drop
For maximum security, you want to drop all other packets sent.

Code: [Select]
-A INPUT -j DROP

Modify TCP Settings (Difficulty Level: Intermediate)
It is possible to modify your TCP settings to increase DDoS protection even further than iptables alone could. Thank you to rigel for this whole section!

Open sysctl Configeration File
You will want to use a basic text editor for this. Most Linux machines come with nano as a command line text editor. We will use it for these instructions.
Code: [Select]
nano /etc/sysctl.conf

Change Settings
Add the following lines to the file:
Code: [Select]
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_tw_buckets = 16384
net.ipv4.tcp_retries2 = 10
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 16384 65535

Then save the file and exit nano.

Apply Changes
Once you have exited nano, issue the following code to apply the changes you just made:
Code: [Select]
sysctl -p
« Last Edit: January 30, 2015, 01:04:57 am by colin012 »
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

blueface

  • Jr. Member
  • **
  • Karma: +3/-2
  • Offline Offline
  • Posts: 54
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #1 on: July 22, 2014, 05:08:07 pm »

great,thx
Logged

Vyazhan

  • Full Member
  • ***
  • Karma: +20/-0
  • Offline Offline
  • Posts: 110
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #2 on: July 24, 2014, 11:57:35 am »

Hi there,

thanks for providing such a great How-To, it's really appreciated! I want to protect my server and was wondering if I follow your step-by-step guide with the iptables, do I effectively lock myself out from accessing my server remotely? I am reading up a lot about hardening and the likes but don't want to put everything into practice straight away but would like to maybe get a basic security level going meanwhile and this seems like a brlliant start :)

All the best!
Logged

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #3 on: July 24, 2014, 04:05:59 pm »

Hi there,

thanks for providing such a great How-To, it's really appreciated! I want to protect my server and was wondering if I follow your step-by-step guide with the iptables, do I effectively lock myself out from accessing my server remotely? I am reading up a lot about hardening and the likes but don't want to put everything into practice straight away but would like to maybe get a basic security level going meanwhile and this seems like a brlliant start :)

All the best!

Hey! Thank you for contributing to NXT security by running a node and taking the time to secure it!
  • Are you running your node off of your computer or VM? Or are you using something like DigitalOcean?
  • If the node is running off of your computer or VM, have you set up port forwarding on your router, opened the port on your computer's firewall (and set up port forwarding to your VM if you have one) so that your node is actually public?
  • Have you hallmarked your node? Once you do, you will be eligible to receive NXTSecuritycoin (also called NSC) (and possibly Sentinelcoin in the future). Go to the following link for information information on getting NSC for running a hallmarked node and make a post there with your node's information: https://nxtforum.org/assets-board/%28ann%29-nxt-security-coin-%28nsc%29-get-paid-for-supporting-the-nxt-network!/
  • Have you learned a lot in your reading about hardening? If you have, write a how-to (similar to this one) or make a post providing a list of links that will help people harden their nodes! You will be rewarded with Sentinelcoin (SentinelC on the asset exchange) for doing so!
As for your question of weather this will lock you out from remote access, it will. However accessing a server remotely is NOT recommended! It is significantly less secure than accessing your server via localhost. The iptables configuration I have provided will allow localhost to access the server. With localhost, the only machine that has access to your server is the machine that it is running on. If you are running the node from a personal computer/VM, this will allow you to safely log into your account and run your public node on the same computer.

Thank you again for helping NXT out!
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

Vyazhan

  • Full Member
  • ***
  • Karma: +20/-0
  • Offline Offline
  • Posts: 110
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #4 on: July 24, 2014, 07:16:00 pm »


Hey! Thank you for contributing to NXT security by running a node and taking the time to secure it!
  • Are you running your node off of your computer or VM? Or are you using something like DigitalOcean?
  • If the node is running off of your computer or VM, have you set up port forwarding on your router, opened the port on your computer's firewall (and set up port forwarding to your VM if you have one) so that your node is actually public?
  • Have you hallmarked your node? Once you do, you will be eligible to receive NXTSecuritycoin (also called NSC) (and possibly Sentinelcoin in the future). Go to the following link for information information on getting NSC for running a hallmarked node and make a post there with your node's information: https://nxtforum.org/assets-board/%28ann%29-nxt-security-coin-%28nsc%29-get-paid-for-supporting-the-nxt-network!/
  • Have you learned a lot in your reading about hardening? If you have, write a how-to (similar to this one) or make a post providing a list of links that will help people harden their nodes! You will be rewarded with Sentinelcoin (SentinelC on the asset exchange) for doing so!
As for your question of weather this will lock you out from remote access, it will. However accessing a server remotely is NOT recommended! It is significantly less secure than accessing your server via localhost. The iptables configuration I have provided will allow localhost to access the server. With localhost, the only machine that has access to your server is the machine that it is running on. If you are running the node from a personal computer/VM, this will allow you to safely log into your account and run your public node on the same computer.

Thank you again for helping NXT out!

Hey colin,

thanks so much for taking me on, I really didn't expect such a nice answer and actually that much of a help with this, I am really flabbergasted :D I actually do need some help with this as I do not seem to fully understand some stuff yet but am more than willing to help NXT to grow.

To answer some of the questions first:

1.) I am running on a rented VPS (like DigitalOcean)
2.) See above
3.) Not yet as I do not hold much NXT yet but I intend to buy some very soon to get it started. In that regards, I think I understood how to create a hallmark but was wondering two things:

a) I am accessing my VPS through SSH so the localhost solution you are talking about seems to not be working for me this way. Is there any other way I can access my linux server so I have access to it's content via localhost? This seems to be the reason I cannot do it and am a very much beginner with servers so any help would be really appreciated!

b) I am trying to also use this then as my forging node where I can lease my NXT to so the server does the work. However, I have not fully understood yet how to lease my forging power to my VPS and if I then should create a hallmark AFTER i have leased to my VPS and create a hallmark from there (if i ever get to access the UI from there) or if I should just create the hallmark on my local machine with the nxt on it, edit the .conf file on my vps and then transfer the power to my node??) >>> In that aspect as well, do I need to create a separate hallmark everytime I add NXT or forging power to my node or is that dynamically reflected on let's say peerexplorer.com?

Also, as my vps is quite fast, 100mbit unlimited connection, I was wondering if there is a change once I add weight and a hallmark to it. It seems to not really be worth the money for a few megabytes of traffic every day, though it doesn't make a difference for me personally as I want to help nonetheless. Just interested in the technical aspects of it. Is there a whitepaper or something that explains how much my node is used based on the weight etc...? I think I read somewhere that once it gets heavy weight wise, I need quite a good server to run as a node so really curious here as I like to help as much as possible and my server seems to be able to handle it as it's quite beefy (or can be made beefy quite fast if needed for little extra cost :))

This will have probably been answered now by some question before but how exactly would I not access my server remotely if it's stored hundreds of kilometers away from me? :D

Sorry for all those questions but I do intend to create a quite sturdy backbone here that can easily scale to larger traffic as well and can easily be upgraded and is very decentralized as not hosted by amazon or digital ocean so any help is dearly appreciated :)

Thanks for pointing me to those two assets, I already checked out NSC but not yet the other one and will do that asap :)

Also, if you happen to have some extra spare time for me, I am happy to converse on IRC or somewhere so I don't derail this topic too much from it's initial purpose.

4.) When I am finished with my security papers (there is a LOT!) I am more than happy to backlink or write my own stuff for sure if it's needed and wanted. Always happy to help even though my guide and tutor already told me that after setting this stuff up, there is not sooo much to do as only one port needs to be really open :)

However, I have seen you can harden it quite nicely by removing unnecessary processes etc...so maybe this way I can help a bit as well if someone is there to have a look over it as I am quite new to all of this and wouldn't want to share anything that might have flaws and bugs in them that actually makes the entire thing less secure than it was in the beginning :D

Thanks again and if you are still reading by this, drop me your NXT account info and I will send a few NXT your way as a thanks for all the work and effort you already put towards this guide as well as the help you offered, I really appreciate it  a lot and hopefully it will help others as well at one stage :)

All the best,
Vya
Logged

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #5 on: July 24, 2014, 10:29:51 pm »


Hey colin,

thanks so much for taking me on, I really didn't expect such a nice answer and actually that much of a help with this, I am really flabbergasted :D I actually do need some help with this as I do not seem to fully understand some stuff yet but am more than willing to help NXT to grow.

To answer some of the questions first:

1.) I am running on a rented VPS (like DigitalOcean)
2.) See above
3.) Not yet as I do not hold much NXT yet but I intend to buy some very soon to get it started. In that regards, I think I understood how to create a hallmark but was wondering two things:

a) I am accessing my VPS through SSH so the localhost solution you are talking about seems to not be working for me this way. Is there any other way I can access my linux server so I have access to it's content via localhost? This seems to be the reason I cannot do it and am a very much beginner with servers so any help would be really appreciated!

b) I am trying to also use this then as my forging node where I can lease my NXT to so the server does the work. However, I have not fully understood yet how to lease my forging power to my VPS and if I then should create a hallmark AFTER i have leased to my VPS and create a hallmark from there (if i ever get to access the UI from there) or if I should just create the hallmark on my local machine with the nxt on it, edit the .conf file on my vps and then transfer the power to my node??) >>> In that aspect as well, do I need to create a separate hallmark everytime I add NXT or forging power to my node or is that dynamically reflected on let's say peerexplorer.com?

Also, as my vps is quite fast, 100mbit unlimited connection, I was wondering if there is a change once I add weight and a hallmark to it. It seems to not really be worth the money for a few megabytes of traffic every day, though it doesn't make a difference for me personally as I want to help nonetheless. Just interested in the technical aspects of it. Is there a whitepaper or something that explains how much my node is used based on the weight etc...? I think I read somewhere that once it gets heavy weight wise, I need quite a good server to run as a node so really curious here as I like to help as much as possible and my server seems to be able to handle it as it's quite beefy (or can be made beefy quite fast if needed for little extra cost :))

This will have probably been answered now by some question before but how exactly would I not access my server remotely if it's stored hundreds of kilometers away from me? :D

Sorry for all those questions but I do intend to create a quite sturdy backbone here that can easily scale to larger traffic as well and can easily be upgraded and is very decentralized as not hosted by amazon or digital ocean so any help is dearly appreciated :)

Thanks for pointing me to those two assets, I already checked out NSC but not yet the other one and will do that asap :)

Also, if you happen to have some extra spare time for me, I am happy to converse on IRC or somewhere so I don't derail this topic too much from it's initial purpose.

4.) When I am finished with my security papers (there is a LOT!) I am more than happy to backlink or write my own stuff for sure if it's needed and wanted. Always happy to help even though my guide and tutor already told me that after setting this stuff up, there is not sooo much to do as only one port needs to be really open :)

However, I have seen you can harden it quite nicely by removing unnecessary processes etc...so maybe this way I can help a bit as well if someone is there to have a look over it as I am quite new to all of this and wouldn't want to share anything that might have flaws and bugs in them that actually makes the entire thing less secure than it was in the beginning :D

Thanks again and if you are still reading by this, drop me your NXT account info and I will send a few NXT your way as a thanks for all the work and effort you already put towards this guide as well as the help you offered, I really appreciate it  a lot and hopefully it will help others as well at one stage :)

All the best,
Vya

It's no problem. I am interested in making NXT as secure as possible and if that means helping you out, then I will do it!

A) There should be no reason you need to access your server's localhost... at least for purposes of NXT. The NXT you own is stored on the blockchain and can be accessed from any computer running the NXT client. All you need to do is enter your password. If you need secure access to your NXT, all you have to do is install the wallet on your personal computer, put your password in there, and you will have access to your NXT from your personal computer.

The only reason would want to have their server open to other ports is so that they can access NXT devices without the wallet installed. Someone else's computer for example. If you need access to your NXT account from any machine other than your personal machine, I would suggest using an exchange or a web wallet to store your NXT. To be honest, I am not sure that there are web wallets other than exchanges and those don't have access to NXT assets (yet). So if you need to access your assets from another device, I would recommend using the Secure AE. More info on that here: https://nxtforum.org/secure-asset-exchange/introduction-to-secure-asset-exchange/

B)If you want to use your server's forging power, open up ports 7875 and 7876 on your server (you can do this the same way you opened up 7874). Just enter the commands to do this right before or right after (doesn't mater which) you open up 7874. If you try to enter them in after you have issued the default drop command, it won't work because the drop command would be executed before those ports are opened.

Then, create a new NXT account on your server at:
Code: [Select]
http://yourServersIPAddress:7876DO NOT STORE ANY NXT IN THIS NEW ACCOUNT! You can safely lease your NXT to the new account which is now running on the server. Ok, you will need to send 2 NXT from your personal account to the account running on the server (we will call it a pool account from now on). Once your pool account receives the two NXT, you can send an outgoing transaction on 1 NXT back to your personal account. Now that your pool account has an outgoing transaction, it can begin forging. Now you can lease the balance of your personal account to the pool account.

As far as hallmarks go, it doesn't matter when it is done when related to leasing your balance to the pool account. It could be before, or after. It doesn't make a difference. However, when you go to hallmark your node, I would generate the hallmark from your personal computer rather than on the server. Also, when you generate the hallmark for your node, enter your personal NXT address, not the pool account's NXT address; all the hallmark does is prove that the node is related to your account so the NSC will go to the account that the hallmark identifies.

I don't really know anything about how the weight of a hallmark works. Otherwise, I would be more than happy to provide information on it. I have a guess but I am not sure and I don't want to misinform anyone.

If you really want to help me out and throw a few NXT my way, then place a buy order on the Asset Exchange for SentinelC (asset id: 3567062492245394336). I am letting the community decide the value of the coin/asset. I put some of my personal funds into the Project Sentinel account to issue the asset and pay for initial transaction fees and I would like them back some time. So basically, you get to set the market price for it and send some NXT my way at the same time. :)

I will tell you this right now, there are only 21,000,000 of them and I have to make them last for a LONG while so I won't be distributing (by selling or rewarding NXT security related activities) that many of them. Given that, make an offer on what you think is fair and I will sell them to you regardless of what I think.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

rigel

  • Jr. Member
  • **
  • Karma: +3/-0
  • Offline Offline
  • Posts: 39
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #6 on: August 18, 2014, 03:41:42 am »

You can successfully block attackers trying to saturate your NRS resources by limiting the number of concurrent connections from the same IP:

iptables -A INPUT -m connlimit --connlimit-above 10 -j DROP

or rate limit new connctions per IP per second:

iptables -A INPUT -m hashlimit --hashlimit-name LIMIT --hashlimit-burst 10 --hashlimit-above 1/second --hashlimit-mode srcip --hashlimit-htable-expire 10000 -j DROP

or both.

To make your system more resilient to DDoS you have to change some TCP related settings in /etc/sysctl.conf

net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_tw_buckets = 16384
net.ipv4.tcp_retries2 = 10
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 16384 65535

and apply them with:

sysctl -p
Logged
NXT-7GR4-4C9H-GVMN-27QQU

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #7 on: August 18, 2014, 07:08:18 pm »

You can successfully block attackers trying to saturate your NRS resources by limiting the number of concurrent connections from the same IP:

iptables -A INPUT -m connlimit --connlimit-above 10 -j DROP

or rate limit new connctions per IP per second:

iptables -A INPUT -m hashlimit --hashlimit-name LIMIT --hashlimit-burst 10 --hashlimit-above 1/second --hashlimit-mode srcip --hashlimit-htable-expire 10000 -j DROP

or both.

To make your system more resilient to DDoS you have to change some TCP related settings in /etc/sysctl.conf

net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_tw_buckets = 16384
net.ipv4.tcp_retries2 = 10
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 16384 65535

and apply them with:

sysctl -p

Thank you. I don't know if you saw, but there is a bounty on additions to this article. What is your NXT address?
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

rigel

  • Jr. Member
  • **
  • Karma: +3/-0
  • Offline Offline
  • Posts: 39
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #8 on: August 18, 2014, 09:27:44 pm »

You can successfully block attackers trying to saturate your NRS resources by limiting the number of concurrent connections from the same IP:

iptables -A INPUT -m connlimit --connlimit-above 10 -j DROP

or rate limit new connctions per IP per second:

iptables -A INPUT -m hashlimit --hashlimit-name LIMIT --hashlimit-burst 10 --hashlimit-above 1/second --hashlimit-mode srcip --hashlimit-htable-expire 10000 -j DROP

or both.

To make your system more resilient to DDoS you have to change some TCP related settings in /etc/sysctl.conf

net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_tw_buckets = 16384
net.ipv4.tcp_retries2 = 10
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 16384 65535

and apply them with:

sysctl -p

Thank you. I don't know if you saw, but there is a bounty on additions to this article. What is your NXT address?

I didn't notice there is a bounty.

My address is NXT-7GR4-4C9H-GVMN-27QQU.

Thank you colin!

Just a note: you should better move connlimit and hashlimit rules after these ones:

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
« Last Edit: August 18, 2014, 09:38:22 pm by rigel »
Logged
NXT-7GR4-4C9H-GVMN-27QQU

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: How to make your node as resilient to DDoS as possible
« Reply #9 on: August 19, 2014, 12:18:22 am »

You can successfully block attackers trying to saturate your NRS resources by limiting the number of concurrent connections from the same IP:

iptables -A INPUT -m connlimit --connlimit-above 10 -j DROP

or rate limit new connctions per IP per second:

iptables -A INPUT -m hashlimit --hashlimit-name LIMIT --hashlimit-burst 10 --hashlimit-above 1/second --hashlimit-mode srcip --hashlimit-htable-expire 10000 -j DROP

or both.

To make your system more resilient to DDoS you have to change some TCP related settings in /etc/sysctl.conf

net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 4
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_tw_buckets = 16384
net.ipv4.tcp_retries2 = 10
net.ipv4.tcp_tw_reuse = 1
net.ipv4.ip_local_port_range = 16384 65535

and apply them with:

sysctl -p

Thank you. I don't know if you saw, but there is a bounty on additions to this article. What is your NXT address?

I didn't notice there is a bounty.

My address is NXT-7GR4-4C9H-GVMN-27QQU.

Thank you colin!

Just a note: you should better move connlimit and hashlimit rules after these ones:

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Ok, based on the 2 Sentinelcoins per new command, you should be getting 30 Sentinelcoins.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: Node hardening! [Update 8/18/2014]
« Reply #10 on: January 23, 2015, 10:09:47 pm »

Bump.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬

colin012

  • Hero Member
  • *****
  • Karma: +65/-18
  • Offline Offline
  • Posts: 851
  • NXTOrganization Marketing
    • View Profile
Re: Node hardening! [Update 8/18/2014]
« Reply #11 on: January 26, 2015, 04:23:22 pm »

Working on an update.
Logged
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬  ▄▀▀▀▀▀▀▀▀▄  ▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬●  nimirum  ●▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
▬▬▬ ◖ENDING CENSORSHIP ONLINE◗  ◖ ICO OPEN NOW◗ ▬▬▬
 

elective-stereophonic
elective-stereophonic
assembly
assembly