On Thu, 2013-06-20 at 12:53 +0200, Pol Hallen wrote: [...] > > Hi Steven and thanks for your reply :-) You're welcome. > > This is my full iptables config: [... snip iptables rules...] > > with this way my actually server runs perfectly. Is there other rules to > block ddos attack, or other type of attacks? A real ddos cannot really be blocked by using iptables on the server, as an attacker might just be flooding the connection, there are commercial services for that if you really want them, but these are not cheap. Some other things you might consider blocking on the firewall are repeated attempts to log in to the server, such as a brute force attack on your SSH service. You can block repeated attempts to log in with iptables using the 'recent' module, an alternative is 'fail2ban', which monitors your server logs (ssh, apache, and others) for failed login attempts and then adds an iptables rule for the offending IP. It is available in the repository, but I cannot comment on its working much as I don't use it (yet?). I heard it's really good. For my simple home server I use the 'recent' module: iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -m recent --set iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 120 --hitcount 3 -j DROP iptables -A INPUT -i $EXTIF -p tcp --dport 22 -m state --state NEW -j ACCEPT This blocks new connections if a host attempts more than 3 connections within 120 seconds, still enough if I type in the wrong password (openssh will allow 3 attempts before disconnecting if I recall correctly). This is sufficient for most attacks on ssh, of course you already disabled direct root login. In some cases the 'limit' module for iptables might be useful, for example (not really a good one): iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m limit --limit 1/min --limit-burst 3 -j ACCEPT This will only allow 1 connection attempt on an FTP server per minute, with an initial burst of 3 before limiting. Regards, Steven PS: no need to send the mail directly to me, I'm subscribed to the list.
Attachment:
signature.asc
Description: This is a digitally signed message part