The aim of this page is to help you to configur SynDetector !
There is 3 different parts to configur SynDetector :
- Configuration before compilation
- Configuration of iptables
- Configuration of SynDetector
Configuration before compilation :You need to edit definition.h adapt the value ! There is not the same number of value from a release to another.
For release < 3_3 there is just 2 important values : TEMPSFLUSH et MAXPORT.
TEMPSFLUSH is the default time before flush list of banned IP and IPC.
MAXPORT is the max port number that SynDetector is enable to check.
For release >= 3_3 you need to consider also : TEMPSFLUSH2, TIMEOUT, RETRYLIMIT, PORT, PORT2 and CRYPTSALT
TEMPSFLUSH max time before flushing banned IP.
TEMPSFLUSH2 max time before flushing banned IPC.
TIMEOUT max time of inactivity before SynDetector close the connection when you want to transmit an order.
RETRYLIMIT max number of retry before say order transmition error ! It could hapen...
PORT is the connection port of SynDetector to transmit your orders.
PORT2 is a port strictly reserved to SynDetector to transmit the orders (you don't have to use this port).
CRYPTSALT you could modify to adapt the crypt key to your system...
Configuration of iptables :Why do you need to configure iptables for SynDetector ? Because to capture packet I use the libipq solution.
Libipq solution use a standard filter system of iptables rules with a new target (option -j) QUEUE instead of
REJECT or DROP.
This solution finaly seems to be like libpcap with good BSD filter.
When you launch SynDetector without any options It show you an example of configuration for
the web server on port 80 :
iptables -A INPUT -p tcp --dport 80 -j QUEUE
to capture packet destinated to server web,
iptables -A OUTPUT -p tcp --sport 80 -j QUEUE
to capture packet from the server web.
You need this two rules to use correctly SynDetector.
Of course you can check more of one port. You need to put this two rules for each ports that you want check.
If you have realy a lot of port or you use a release >= 3_3 and you want to ADD ports while It is running
you certainly need to adapt this rules to all ports of the system :
iptables -A INPUT -p tcp -j QUEUE
iptables -A OUTPUT -p tcp -j QUEUE
SynDetector will check the port only if It is listed in SynConf.txt.
This solution has some problems... Of course this is nice when you want to add easily with futur release but even if the
port is not checked the necessary time to know if the port need to be checked or not and if the packet is valid or not
could cause a lag on the network if the trafic is important...
Other problem, if SynDetector crash every port in QUEUE with iptables are blocked ! In fact if you don't have a soft
to tell to iptables if the queued packet are good or not, the default is that iptables will drop all queued packet.
But It is absolutly normal... SynDetector exist to protect you server against synflood attacks and if It is possible
It want to protect running server application like apache. So if It can't say that a packet is good or not the default
solution is to block packet...
And the last problem, if SynDetector crash you need to restart It fastly to restore your server...
For release >= à 3_3 if you want good stats you need to add 2 other rules :
iptables -I INPUT -p tcp --dport 80 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -I OUTPUT -p tcp --sport 80 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
The cause is that the futur GUI is a web based system in php... So you need a server web where SynDetector is running.
Of course we don't want to show our request order connection from the GUI in the stats so we need a free local IP.
Eventualy you could want a free public IP... You can use this rules but becareful that every of this IP is an open door
for every hacker who know this IP...
SynDetector will also block connection on IPserver from IPserveur for security reason !
When you want to connect on the IPserver when you are using the computer which own this IP the connection is impossible.
To enable connection you could use this rules (for web server for example) :
iptables -I OUTPUT -p tcp --sport 80 -s IPserveur -d IPserveur -j ACCEPT
But SynDetector will show you even if you use this rules... The diference betwin local or external connection is that
if you synflood your server with local connection SynDetector will detect It and block It but It will say you that It
is a false IP (spoofed IP).
Configuration of SynDetector :This is the different constant that you need to determine for each port you want to check :
PORT :Port number that you want check.
LENGHTETE :Max lenght of connection list before start an analyse but if this number
is too high the analyse could take too much time... But with a high
number the quality of the analyse is better (with great value for
SENSEUR :In the idea of sensibility, if you put 2 for senseur you will check
only one ip/2 into the connection list LENGHTETE
It could help to filter good or bad ip in the list
But becareful about lenghtete/senseur... A goot ratio for exemple
could be 50/2 or 90/3.
LIMTEMPORELLE :To define the synflood limit we need a temporal limit :
for X request/Ys we put LENGHTETE=X et LIMTEMPORELLE=Y. Becareful that
you can not say that 50/10s <=> 5/1s, cause of some software like navigator
which when they need to load a page with 5 pictures for example the
navigator will do realy fastly 5 connections request to download
this pictures and It is absolutly not a synflood attack...
So in the first case the client is not banned but in the second case
the client will be banned...
PERCENT :It is to define a limit percent for lenghtete !
With that you just need a part of the lenghtete with the same IP to
reach the request limit.
Warning ! If you put a too litle percentage you certainly risk to have a
lot of bad detection !!!
You don't have to think about how configure percent / senseur ! Just
configure senseur / lenghtete and percent / lenghtete.
The config file format is realy simple ! You just need to look one time the example file to know how to put your values.
For release >= 3_3 the new system client/server enable to modify directly configuration while It is running and you will
can also save port modification ! But you always need to have a config file on your HD to launch SynDetector even if this file
Download the SynConf.txt example here