recent vs ipset
Hi,
I want to use a dedicated firewall to protect the
web server. firewall operates in bridge mode. Which method is better
used to block attacks on a web server?
1.using the module
"recent".
Count the number of connection requests to the server, and if, for
example, the number of requests exceeds N (50) for the time T (3600)
seconds, then the block address of the source.
Example IPtables
rules:
iptables -A http_check -m recent --update --seconds 3600
--hitcount 50 -j DROP
iptables -A http_check -m recent --set -j ACCEPT
iptables -A FORWARD
-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A
FORWARD -m conntrack --ctstate NEW -p tcp --dport 80 -j http_check
iptables
-P FORWARD DROP
2. using the module "recent" and ipset:
a) I use "recent" module
to collect all the addresses that are trying to connect to the web
server:
iptables -A hitiplist -m recent --set -j RETURN
iptables -P hitiplist ACCEPT
iptables -A FORWARD -d web_server_ip -m
conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD
-d web_server_ip -p tcp --dport 80 -m conntrack --ctstate NEW -j
hitiplist
iptables -A FORWARD -d web_server_ip -m set --set blacklist src -j DROP
iptables
-P FORWARD ACCEPT
b) perl script processes the file
/proc/net/ipt_recent/DEFAULT, looking for the source address from which
the value "oldest_pkt" > 50, then puts this address in the file
"blacklist". Then insert address by script from blacklist in hash table
"ipset" module.
Question:
1. which method is more correct and better in terms
of performance?
2. Maybe there are other methods?
Reply to: