0

I have 3 Varnish 3.0.2 servers with Apache 2 as backends, which are being load balanced through a HAproxy separate server.

I need to find a very simple program (I'm not much of a sysadmin), which blocks requests from an IP, if that IP has made more than X requests in Y seconds.

Would something like this be achievable with a simple solution? Right now I have to block all requests manually with iptables.

Eduard Luca
  • 371
  • 2
  • 9
  • 19

1 Answers1

1

You can do something like this with iptables:

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 80 --rttl --name HTTP -j DROP

The first command labels the connection (which may be legitimate) as HTTP, and the second blocks it if the following requirements are met: more than 80 attempts in the 60 last seconds.

However, everyone using the blocked IP-address will be denied, not only the possible DDOSer if he/she uses a NAT-ed IP address. And you need to find something to re-enable the access after some time.

You can also try failtoban.

Hope it helps

philippe
  • 2,303
  • 4
  • 32
  • 53
  • I see. And do I have to run these commands from time to time, like in a cron job, or do they start as services? – Eduard Luca Sep 04 '12 at 14:27
  • You launch them once, and that's all. But keep in mind that legitimate users may use the same IP address as the attacker, so you have to provide a way to re-enable the access after a while (like every hour, or day) – philippe Sep 04 '12 at 14:32
  • Isn't there an option in iptables to only block the requests for 10 minutes, until the attacker gets bored and goes away? – Eduard Luca Sep 04 '12 at 14:33
  • `denyhosts` or the already mentioned `failtoban` are far better suited for your needs. – Ansgar Wiechers Sep 04 '12 at 15:15
  • Thanks, will benchmark all of these and will decide on one. – Eduard Luca Sep 04 '12 at 15:18