[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: iptables and networking

Forward message back to the list, as agreed to by Igor.

---------- Forwarded message ----------
From: Igor Cicimov
Date: 2013/6/21
Subject: Re: iptables and networking
To: Steven Post



On 21/06/2013 5:21 AM, "Steven Post" <redalert.commander@gmail.com> wrote:
>
> On Thu, 2013-06-20 at 12:53 +0200, Pol Hallen wrote:
> [...]
> >
> > Hi Steven and thanks for your reply :-)
>
> You're welcome.
>
> >
> > This is my full iptables config:
> [... snip iptables rules...]
> >
> > with this way my actually server runs perfectly. Is there other rules to
> > block ddos attack, or other type of attacks?
>
> A real ddos cannot really be blocked by using iptables on the server, as
> an attacker might just be flooding the connection, there are commercial
> services for that if you really want them, but these are not cheap.
>
> Some other things you might consider blocking on the firewall are
> repeated attempts to log in to the server, such as a brute force attack
> on your SSH service.
> You can block repeated attempts to log in with iptables using the
> 'recent' module, an alternative is 'fail2ban', which monitors your
> server logs (ssh, apache, and others) for failed login attempts and then
> adds an iptables rule for the offending IP. It is available in the
> repository, but I cannot comment on its working much as I don't use it
> (yet?). I heard it's really good.
>
> For my simple home server I use the 'recent' module:
> iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -m
> recent --set
> iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -m
> recent --update --seconds 120 --hitcount 3 -j DROP
> iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -j
> ACCEPT
>
> This blocks new connections if a host attempts more than 3 connections
> within 120 seconds, still enough if I type in the wrong password
> (openssh will allow 3 attempts before disconnecting if I recall
> correctly). This is sufficient for most attacks on ssh, of course you
> already disabled direct root login.
>
> In some cases the 'limit' module for iptables might be useful, for
> example (not really a good one):
> iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m
> limit --limit 1/min --limit-burst 3 -j ACCEPT
>
> This will only allow 1 connection attempt on an FTP server per minute,
> with an initial burst of 3 before limiting.
>
> Regards,
> Steven
>
> PS: no need to send the mail directly to me, I'm subscribed to the list.
>

Another option is the hashlimit module. Its based simply on the fact
that ddos sends bursts of traffic over the connection. Example below
for port 80 but can be applied to 22 or any othet service.

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto
50/min \ --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name
http -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

What this does is allows up to 500 packets (not connections, because
HTTP can do multiple transactions per connection you have to consider
whether you want to do this on all packets or SYN packets only). If
there are more than 500/min, it will then throttle it down to 50/min
until the rate drops. Anything outside of these limits gets dropped.

This combined with limiting the number of simultanious connections per
source ip and low connection timeout should give good ddos protection.
Reply to: