Sometimes, the standard kernel bundled with Ubuntu may not fit your environment. For example, your server is attacked regularly via bad behavior in the network. This behavior is called denial-of-service or DoS. There are so many techniques to DoS someone. The most classic one is TCP SYN flood. The effect of this attack is to full the backlog buffer in kernel. Anyway, this attack is not popular anymore. Recent kernel could handle this attack easily because it is very easy to detect TCP SYN flood. However, the worst thing I don't want to see is the attacker flood the server by established TCP connection. It is hardly to distinguish this attack from normal behavior. There are several workaround to protect the server against this attack.

1. Decrease socket timeout
2. Limit the number of concurrent connection per IP address

The first approach may effect some clients with low-speed network so the second one looks better. However, the second approach is not available in vanilla kernel because it may consume more utilization. However, it is worth to have this ability for safety first. Linux introduced this capability in form of universal patches called Patch-o-Matic to let you choose the right patches for you. As a plus, you will get Tarpit to protect your host from port scanning.

To build custome kernel in Ubuntu, you need to have make-kpkg.

apt-get install kernel-package libncurses5-dev fakeroot

Then follow below procedures.

1. Obtain the kernel source

   sudo apt-get install linux-source
   

2. Prepare build directory

   mkdir ~/pom
   

3. Extract the linux source

   cd ~/pom
   tar xjvf /usr/src/linux-source-2.6.17.tar.bz2
   

4. Download snapshot of patch-o-matic-ng and iptables. In Ubuntu Edgy, iptables is 1.3.5.

   wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20061130.tar.bz2
   wget http://ftp.netfilter.org/pub/iptables/iptables-1.3.5.tar.bz2
   

5. Extract them

   tar xjvf patch-o-matic-ng-20061130.tar.bz2
   tar xjvf iptables-1.3.5.tar.bz2
   

6. Download additional patches, e.g., connlimit

   wget -O connlimit.tar http://people.netfilter.org/ole/pom/connlimit
   

7. Extract the patches in patchlets.

   cd patch-o-matic-ng-20061130/patchlets
   tar xvf ../../connlimit.tar
   

8. Modify patchlets/connlimit/info as follows.

   Title: iptables connlimit match
   Author: Gerd Knorr <>
   Status: ItWorksForMe[tm]
   Repository: extra
   Requires: linux > 2.6.0
   

9. Run runme to patch the kernel source

   cd ../..
   ./runme extra
   

10. Choose the right patches for your custom kernel (I recommend connlimit and tarpit)

11. Copy the current kernel configuration to the kernel source directory

    cp /boot/config-`uname -r` ~/pom/linux-source-2.6.17/.config
    

12. Modify the .config to enable the patch by changing from:

    # CONFIG_IP_NF_TARGET_TARPIT is not set
    # CONFIG_IP_NF_MATCH_CONNLIMIT is not set
    

    to:

    CONFIG_IP_NF_TARGET_TARPIT=m
    CONFIG_IP_NF_MATCH_CONNLIMIT=m
    

13. Compile the kernel in Ubuntu way

    make-kpkg clean
    make-kpkg --initrd --append-to-version=-pom --rootcmd fakeroot kernel_image kernel_headers
    

If everything goes well, you will get kernel image and its headers in ~/pom. You may install it as usual.

cd ~/pom
sudo dpkg -i linux-image-* linux-headers-*

Acknowledgement: How to compile a kernel - The Ubuntu way, iptables connlimit/iplimit not working

Tags: linux, security, firewall, ubuntu, patch-o-matic, connlimit, tarpit