RE: fail2banOct 26 2010 03:31PM Perry B. Whelan (perry commercev3 com) (1 replies)
Kai,
You could consider using low-level kernel level parameters, provided by
netfilter (if Linux), to limit the traffic before ever reaching your
application..:
# Limit the number of incoming tcp connections
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp -i $IF0 -s $ANY -d $IP0 -m multiport --dport
80,443 --syn -j SYN_FLOOD
# Accounting by IP
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -m limit --limit 30/s --limit-burst
60 -j RETURN
# Catchall to shape SYN_FLOOD
$IPTABLES -A SYN_FLOOD -m limit --limit 30/s --limit-burst 60 -j RETURN
# If met, DROP in an accounted fashion...
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -j DROP
# Catchall to DROP
$IPTABLES -A SYN_FLOOD -j DROP
Regards,
Perry
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Kai Witzke
Sent: Thursday, October 21, 2010 10:41 AM
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: fail2ban
Hey everybody!
I have some serious problems with flooding attacks to my apache2. No
problems with logins oder syn floods, just a huge amount of simple
requests to my server from the same ip. Anyone got a nice howto on that
or maybe a nice regex prepared for counting such requests and blocking
the greedy ones?
thanks in advance
Kai
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
You could consider using low-level kernel level parameters, provided by
netfilter (if Linux), to limit the traffic before ever reaching your
application..:
# Limit the number of incoming tcp connections
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp -i $IF0 -s $ANY -d $IP0 -m multiport --dport
80,443 --syn -j SYN_FLOOD
# Accounting by IP
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -m limit --limit 30/s --limit-burst
60 -j RETURN
# Catchall to shape SYN_FLOOD
$IPTABLES -A SYN_FLOOD -m limit --limit 30/s --limit-burst 60 -j RETURN
# Simple logging
$IPTABLES -A SYN_FLOOD -j LOG --log-prefix "IDS_SYN Flood: "
# If met, DROP in an accounted fashion...
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -j DROP
# Catchall to DROP
$IPTABLES -A SYN_FLOOD -j DROP
Regards,
Perry
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of Kai Witzke
Sent: Thursday, October 21, 2010 10:41 AM
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: fail2ban
Hey everybody!
I have some serious problems with flooding attacks to my apache2. No
problems with logins oder syn floods, just a huge amount of simple
requests to my server from the same ip. Anyone got a nice howto on that
or maybe a nice regex prepared for counting such requests and blocking
the greedy ones?
thanks in advance
Kai
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
[ reply ]