Protecting Apache from DOS & Brute Force

wwnexc · 10-31-2005, 06:30 PM

Hi,

1) I was wondering wether or not there is a way to restrict how many website a user or ip can get per minute.
2) When a folder is password protected, how can one limit the number of password-tries per minute?
3) is there any other smart way to avoid becoming a victim to a script-kiddie attack? (except updating software, of course)

Thanks

jlinkels · 10-31-2005, 06:55 PM

Quote:

1) I was wondering wether or not there is a way to restrict how many website a user or ip can get per minute.

Linux was built with the system administrator in mind, not with the accountant. Therefor:

-Use iptables
-Create a custom chain which counts the number of times it is traversed
-Set up some other rules which jump to that chain

In my case, I looked at tcp and upd packets coming from $net_wrl. In the tcp case, I only looked at connections not yet established, i.e. requests for new connections.

Code:

 
# Define custom chain for possibleDDoS attacks
$IPTABLES -N DDoS
$IPTABLES -A DDoS -m limit --limit 10/s --limit-burst 32 -j RETURN
$IPTABLES -A DDoS -j LOG --log-prefix "[Connection overflow] "
$IPTABLES -A DDoS -j DROP
#:

Code:

#:This one for Timmie's gaming fun: drop the initation of too many packets:
$IPTABLES -A FORWARD -p tcp -s $net_wrl --tcp-flags SYN,RST,ACK SYN -j DDoS
$IPTABLES -A FORWARD -p udp -s $net_wrl -j DDoS
#:

Quote:

2) When a folder is password protected, how can one limit the number of password-tries per minute?
3) is there any other smart way to avoid becoming a victim to a script-kiddie attack? (except updating software, of course)

Google for "tarpit" and "brute force" There are a few programs which do exactly what you are asking for. (Linux was built...) I don't have any experience, but it looks good.

jlinkels

wwnexc · 10-31-2005, 07:23 PM

Would i have to run iptables on a seperate machine, or would it be ok to run iptables on the webserver itself?

jlinkels · 11-01-2005, 05:30 AM

You can run iptables on the web server itself. However, you would have to do the filtering (the lines which say -j DDoS) in the INPUT chain.

If you are going to use iptables for advanced tricks like these, I recommend that you read thourougly thru the iptables-HOWTO. Most of the iptables scripts you find on the Internet are for masquerading firewalls. That is not what you might want to do. One very important concept you'd have to understand is the difference between INPUT, FORWARD and OUTPUT chains. Especially if you want to use iptables on your server machine.

jlinkels