what should be limit to use for IPTABLE rate limiting for a webserver
I see on my webserver some logs as follows
Quote:
Quote:
1) When such an attack happens on my site then while such scanning is going on how do I detect it? (In a very less time) 2)I have decided to rate limit the IPTABLES so as to reduce such DOS attacks by some script kiddies (to scan for vulnerabilities in phpmyadmin or some other script) to some extent.So how much should it be limited so that genuine users do not get kicked out.What is the best practise for question 2? |
Hi,
1. Making sure that you're not vulnerable to the most common default configuration/old software security holes is probabaly the easiest way to stay out of trouble. "Attacks" like these will always take place but won't be a big deal of you've done your configuration correctly. |
You might like the application called fail2ban. Instead of rate limiting the connections, which could and probably will impact valid users, you can target the script kiddies directly. I too received an attempt to locate myadmin on my site, which I do have, but it is not accessible via a public interface; the important point being that their URL guessing FAILS. With fail2ban, too many attempts to access invalid URL will result in a temporary blockage of their IP address. >99.99% of the time this is sufficient to make them go away.
Here is a log output from my fail2ban from yesterday which stopped this same activity cold: Code:
2011-02-03 15:16:23,830 fail2ban.actions: WARNING [apache] Ban 82.208.56.105 Code:
[Thu Feb 03 15:16:21 2011] [error] [client 82.208.56.105] File does not exist: /var/www-ssl/scripts |
All times are GMT -5. The time now is 03:54 PM. |