LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] iptables DOS protection - Insert or Append prevention rules?
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-27-2015, 09:46 AM   #1
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Question iptables DOS protection - Insert or Append prevention rules?

This week was interesting. It seems every holiday, I get tons of GETs on my apache2 host from scripts/bots that aren't using a browser.
This Thanksgiving I got 1600 from one such User-Agent in 1 minute and some change.
Code:
54.174.59.53 - - [25/Nov/2015:18:56:37 -0800] "GET /robots.txt HTTP/1.1" 200 664 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 HubSpot Webcrawler"
54.174.55.26 - - [25/Nov/2015:19:00:50 -0800] "GET /favicon.ico HTTP/1.1" 200 1683 "http://www.domain.com/contact-us/privacy" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 HubSpot Webcrawler"
(since banned directly on 54.174.0.0/15 and using fail2ban's apache-badbots.conf).

I am considering the following:
Code:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
Do I want to Insert or Append into my current rules if I consistently put rules into my iptables using
Code:
iptables -I INPUT -s $i -j DROP
Thank you for your time.
Last edited by Habitual; 11-27-2015 at 11:45 AM.
 
Old 11-27-2015, 01:36 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,345

Rep: Reputation: Disabled
iptables rules are parsed from the top downwards. -A will put the new rule at the very bottom of the chain, so if you want a DROP rule to take precedence over the existing ALLOW rule for port 80, you will need to use -I.
 
1 members found this post helpful.
Old 11-27-2015, 06:33 PM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374

Original Poster
Blog Entries: 37

Rep: Reputation: Disabled
Thanks Ser Olmy!

It's got an "edge" perimeter since it's up in AWS, so all I have are DROPs and
Code:
fail2ban-c9custom  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 80
fail2ban-ssh  tcp  --  0.0.0.0/0            0.0.0.0/0           
Chain fail2ban-c9custom (1 references)
Chain fail2ban-ssh (1 references)
...
and 2
Code:
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
RETURN     all  --  0.0.0.0/0            0.0.0.0/0
I'll save and test.

Thanks for your time.
 
  


Reply

Tags
ddos, iptables



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to insert (NOT append ) text by using redirection in shell scripting ? markraem Linux - Software 2 03-12-2010 03:47 AM
Looking for IPS/DoS prevention that's smarter than rate limiting DukeLeto Linux - Security 4 03-13-2008 03:41 PM
DoS Attacks Protection chenkoforever Linux - Security 2 07-04-2004 04:11 PM
How do you insert an iptables rules before the end?.... steppin_razor Linux - Security 2 11-25-2001 06:39 PM
How do you insert an iptables rules before the end?.... steppin_razor Linux - Networking 0 11-20-2001 11:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:50 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration