1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Best Open Source Firewall for Window Server 2008 ?

Discussion in 'Security' started by akshaykalia, Mar 11, 2013.

  1. #1
    Hi,
    SEMrush
    Recently I am experiencing a lot of DDoS attacks on my Window server.
    Just wanted to know if there are any free tools that can be installed on the server or if any good paid softwares that can help make my server bit secure and steady.

    Thanks
    Akshay
     
    akshaykalia, Mar 11, 2013 IP
    SEMrush
  2. cashx

    cashx Peon

    Messages:
    12
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    3
    #2
    I would buy any cheap box and install OpenBSD on it, or pfsense firewall.
    http://www.pfsense.org/

    They use pf firewalls and put your Windows box in a VLAN, so high security. You'll probably have to read about how to configure pf firewalls though http://nostarch.com/pf2.htm

    This won't defend against major DDOS though you have to buy commercial DDOS protection.
     
    cashx, Mar 12, 2013 IP
  3. RonBrown

    RonBrown Well-Known Member

    Messages:
    934
    Likes Received:
    55
    Best Answers:
    4
    Trophy Points:
    105
    #3
    Server 2008 has an SPI firewall built-in that is pretty good. There are also some changes you can make to the network stack that help to increase the level of security and help to mitigate some of the effects of a DOS attack. Have a look a the high-security web server policy script example that comes with windows for ideas on securing the stack and other parts of Server 2008. It's called something like HISECWEB - don't run it "as is" because it can lockdown the server too much. Just use it to get ideas and see some of the DOS mitigators that are there.

    Here's some of the parameters that I'm sure are in that file...

    
    machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxportsexhausted=4,5
    machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdataretransmissions=4,3
    machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxconnectresponseretransmissions=4,2
    machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalfopen=4,500
    machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalfopenretried=4,400
    machine\system\currentcontrolset\services\tcpip\parameters\nonamereleaseondemand=4,1
    machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect=4,2
    machine\system\currentcontrolset\services\tcpip\parameters\performrouterdiscovery=4,0
    machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime=4,300000
    machine\system\currentcontrolset\services\tcpip\parameters\enablepmtudiscovery=4,0
    machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect=4,0
    machine\system\currentcontrolset\services\tcpip\parameters\enablefragmentchecking=4,1
    machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect=4,0
    machine\system\currentcontrolset\services\tcpip\parameters\enableaddrmaskreply=4,0
    machine\system\currentcontrolset\services\tcpip\parameters\disableipsourcerouting=4,2
    machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,0
    machine\system\currentcontrolset\services\netbt\parameters\nonamereleaseondemand=4,1
    Code (markup):
    You'll also find lots of info on the web. Strangely enough, some of the best resources regarding security that can be found will be for Server 2003. Server 2008 and Server 2012 were much more secure by default and there is a lot less information around. We still use the securiy scripts we wrote for server 2003 on Server 2012 (with some tweaks and deletions) as part of our server lockdown process. Just be sure that anything you find for earlier OSs on security are not obsolete for future ones.

    If you are suffering from genuine DDOS attacks, there's probably little you can do about that personally. You'll need to escalate that to your upstream provider for help.
     
    Last edited: Mar 13, 2013
    RonBrown, Mar 13, 2013 IP
  4. Markwebuk

    Markwebuk Well-Known Member

    Messages:
    1,595
    Likes Received:
    17
    Best Answers:
    2
    Trophy Points:
    113
    #4
    You probably want to try out Netdefender, but honestly, setting up a defense against DDoS is a tedious task. Plus these systems can only withstand an attack of a certain intensity. There is no 100% perfect solution for DDOS.
    The best thing you can do is, take your server offline.
    Identify and block the ips/network
    Precaution is better than cure. So it's important to have a strong security policy in place.
    Have a firewall which does Ingress and Egress Filtering at Gateway
    More importantly, make sure that all the applications are updated with the latest versions to ensure there aren't any vulnerabilities left behind.
     
    Markwebuk, Mar 15, 2013 IP