Hi everyone,
Currently, I’m using IPFire for hosting online games to protect against DDoS attacks. However, some of the DDoS attacks are still able to penetrate my network. Is there a way for me to filter out these DDoS attacks using IPFire? Can you please help me with this? i realy need help you all please
I never seen a DDOS in my life, however if I were to deal with this issue in IPFire I would use Intrusion Prevention (suricata) with rules tailored for this goal. I quickly searched the web and I found (1) several (2) solutions. For the details of the implementation, I cannot help you but I am sure you can figure it out and, if you have specific questions about suricata, other members of this forum can also provide assistance.
EDIT: another approach would be to use geolocation, if the source of these attacks is different from the origin of your users traffic.
how to give running back ? before this got running … i dont know why now have stopped since my game server got attack
Need to be careful with those. One was last updated 4 years ago and the other 7 years ago.
The emerging-dos.rules ruleset is available from the Emergingthreats.net Community Rules provider that is available on IPFire. So that list can be selected directly without any need for manual modification of IPFire.
The actual rules selected would need to be reviewed to see if any of the ones not selected by default should also be selected. You would probably have to have some idea about the type of DDoS attack being used on the game server to be able to select the best rules.
If you press the Save button it doesn’t start, is that correct?
If it is not starting after pressing the Save button then you would need to go to the console command line and run the following command which will try to start Suricata but give you the messages for why it is abnormally failing to start.
/usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0
Let us know what the error message is that gets shown.
i got this when i run the command /usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0
yes when i click save status still STOPPED
The fact that those includes have been processed suggests that suricata started, especially as there was no error message.
Run the command
/etc/rc.d/init.d/suricata status
This will check the status of your suricata process.
If it is not running you will get the message
/usr/bin/suricata is not running.
and if it is running you will get something similar to
suricata is running with Process ID(s) 23074.
Your message will just have a different Process ID number.
If the status is that it is running then on the IPFire WUI reselect the Intrusion Prevention menu item so that the screen is refreshed.
currently got massage not running and how to give running back with command ?
nice sir … now work… but i have tick all this … when i save … my web interface can’t open and my rdp can’t connect … how to reset all back … 
Somehow or other your suricata program got crashed causing it to stop but leaving the pidfile in place, which then stops the program starting. Normally when suricata is stopped the pidfile is removed as part of the stop process.
Run the command
/etc/rc.d/init.d/suricata stop
This should get rid of the pidfile.
Confirm by running
/etc/rc.d/init.d/suricata status
and you should get the
/usr/bin/suricata is not running
message.
Then go back to your Intrusion Prevention WUI page and press the Save button and it should then start.
Why did you select every ruleset in your whole list. Some of those might well cause you problems.
The only ruleset I mentioned to select was emerging-dos.rules. That is a Denial of Service specific ruleset.
If the WUI no longer works due to all the rulesets having been selected, I will have to think and check of what needs to be modified via the console to fix that.
Maybe other forum members know the best way to fix that.
If OP brings down suricata using the console, shouldn’t the access to the WUI become available again?
okay its can remote already i just stop then untick all … so i just tick emerging-dos.rules. ??
@eykalzz Adolf’s suggestion is pretty clear. Suricata is an expensive program to run, and more rules you select more memory you consume. If possible, I would also consider location block, which is instead much cheaper in terms of resource consumption.
You may want to activate it only on red . Not red and green.
Brother … how can i active only on red ?? From firewall rules ?
Look at the Intrusion Prevention picture in your second post in this thread.
There are two “Enabled on” checkboxes. One for red and the other for green.
Uncheck the green one and press the Save button.
Oh ya … i see thaht thank you so much 
