[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

recent vs ipset

I want to use a dedicated firewall to protect the web server. firewall operates in bridge mode. Which method is better used to block attacks on a web server?

1.using the module "recent".
Count the number of connection requests to the server, and if, for example, the number of requests exceeds N (50) for the time T (3600) seconds, then the block address of the source.
Example IPtables rules:
iptables -A http_check -m recent --update --seconds 3600 --hitcount 50 -j DROP
iptables -A http_check -m recent --set -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -p tcp --dport 80 -j http_check
iptables -P FORWARD DROP

2. using the module "recent" and ipset:
a) I use "recent" module to collect all the addresses that are trying to connect to the web server:
iptables -A hitiplist -m recent --set -j RETURN
iptables -P hitiplist ACCEPT
iptables -A FORWARD -d web_server_ip -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d web_server_ip -p tcp --dport 80 -m conntrack --ctstate NEW -j hitiplist
iptables -A FORWARD -d web_server_ip -m set --set blacklist src -j DROP

b) perl script processes the file /proc/net/ipt_recent/DEFAULT, looking for the source address from which the value "oldest_pkt" > 50, then puts this address in the file "blacklist". Then insert address by script from blacklist  in hash table "ipset" module.

1. which method is more correct and better in terms of performance?
2. Maybe there are other methods?

Reply to: