I need to know What should the role of iptables of a typical apache web server on the Internet to help preventing or limiting DoS or other attacks.
Asked
Active
Viewed 334 times
-1
-
There is an awful lot more to DoS protection than slapping in some iptables rules. – womble Jul 31 '11 at 06:06
-
I DO know this. but I am focusing on iptables here. – mmonem Jul 31 '11 at 06:15
-
Why focus on something that isn't going to work? – womble Jul 31 '11 at 06:23
-
I'll focus on another shortly. No one can focus on everything at the same time. You can't type words in two different files at the same time ;) – mmonem Jul 31 '11 at 06:34
-
Btw, I am running mod_evasive on my apache also. But this is all what I am aware of – mmonem Jul 31 '11 at 06:37
2 Answers
2
As you have noted, IPTables is not a definitive solution to DoS - at least one reason being that your server still receives the packets and must process them. If enough packets are sent, your bandwidth will be exhausted and your server will still do a lot of processing while legitimate requests might not make it through.
None the less, IPTables have their uses, and if you can't setup devices external to (upstream from) your server, they may be a reasonable defense.
The starting point would be to close all ports other than the ones you need. For web requests you will need port 80 open (and port 443 if you do HTTPS/SSL). Any other services (SSH, FTP, POP, SMTP, IMAP, etc) your server runs will require additional ports open.
A word of caution - before you block too many ports, ensure you have implemented something to reset your configuration if you get yourself 'locked out'.
As for the DoS, you probably want to look into the recent module. It will monitor the number of incoming requests from a given IP address, can be used in such a way that if the limit you specify is exceeded, all future packets from the IP address in question will be dropped (for a time you specify).
e.g. You may say that if more than 100 new requests come from an IP in 60 seconds, drop requests from this IP for 1 hour.
If you want something more complex, you can implement a tiered system, where you block the IP for 10 minutes the first time, 30 minutes the second time, etc.
I use something similar, but for non-HTTP connections (e.g. SSH, FTP, etc) which you can see here. For you, a possible (incomplete) implementation might look like the following:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80 -m recent --update --seconds 1800 --name BANNED --rsource -j DROP
-A INPUT -p tcp -m multiport --dports 80 -m state --state NEW -j ATTK_CHECK
#OTHER PRE-EXISTING RULES
-A ATTK_CHECK -m recent --set --name ATTK –-rsource
-A ATTK_CHECK -m recent --update --seconds 60 --hitcount 100 --name ATTK --rsource -j ATTACKED
-A ATTK_CHECK -j ACCEPT
-A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7
-A ATTACKED -m recent --set --name BANNED --rsource -j DROP
Which is basically ban for 30 min, if more than 100 hits/min on port 80 and if the attack continues, keep extending the 30 minutes.
cyberx86
- 20,805
- 1
- 62
- 81
-
No competent DoS has more than a few requests a minute coming from individual IP addresses; it's the sheer volume of different clients that does the damage. – womble Jul 31 '11 at 07:19
-
Agreed - the above is only useful for a single (or few) originating IPs - any true DDoS (distributed/reflected) won't really be affected. Perhaps something such as ConfigServer (CSF) may be better suited or something considerably more adaptive (a DDoS would benefit from much lower thresholds, but that impacts on legitimate traffic too). There is an interesting, older (and experimental), IPTables config that someone could use as a starting point [here](http://www.hermann-uwe.de/files/fw_laptop). I am curious as to what other (internal) solutions may be effective. – cyberx86 Jul 31 '11 at 08:02
-
As a general statement, I might suggest that the sites likely to come under a targetted DDoS are larger sites which have probably implemented their own measures against it. Small sites will have a harder time and must rely on either their hosting provider or simpler methods (but are, arguably, less likely to encounter a DDoS). @womble: it may not mean much from a non-IT person, but the breadth of topics you have addressed (here & on your blog) and the quality of answers is impressive and have taught me a lot, so you have my thanks. – cyberx86 Jul 31 '11 at 08:03
0
You can perhaps set up a program on the server os itself, not the Apache, that will ban an IP if they access X times in under X minutes... Make it temporary bans too, so... Google for a specific program, since I cannot tell what OS you use. Good luck.
\EDIT
Sorry, CentOS. Got it.
U4iK_HaZe
- 633
- 5
- 13