Greetings!
I have written a chain that looks like this:
Code:
################
## BIND Rules ##
################
iptables -N bind
iptables -A bind --source 127.0.0.1 -j ACCEPT
iptables -A bind -m state --state NEW -m recent --set --name BIND
iptables -A bind -m state --state NEW -m recent --update --seconds 5 --hitcount 3 --name BIND -m limit --limit 1/minute -j LOG --log-prefix "BIND-ATTACK " --log-level 5
iptables -A bind -m state --state NEW -m recent --update --seconds 5 --hitcount 3 --name BIND -j DROP
Now here is my question. Is this a bad idea? Should I not be limiting requests coming into bind for a server being used to host multiple (300+) websites? Or is my limit simply too low? The reason I ask is before I limited the logging to 1/minute I was getting literally TONS of BIND-ATTACK messages causing me to believe that possibly valid DNS requests are being refused.
I'm just trying to get some other people's opinions on doing something like this and I am very much appreciative of any thoughts or advice anyone can provide.
Thank you for taking the time to read through this!