0

I've asked this question on StackOverflow, but nobody answered, until yesterday... and the answer was a suggestion... to ask this here :). So... can someone help me with this :

I'm new in networking and security and I have a problem with HTTPD server on FreeBSD. If someone make a lot of requests, httpd servers dies.... Can anyone tell me a solution to prevent httpd from dying or how to add and ipfw rule that will block for 60 seconds any connection to the server from an IP that has made over 5 requests/second in the past second.

ie : if someone opens the website and keeps F5 button pressed, httpd dies... httpd restart is not working anymore, so I need to httpd stop / httpd start ....

This is what I found for iptables:

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
dawud
  • 15,096
  • 3
  • 42
  • 61
user2602350
  • 1
  • 4
    . . . error message? Logs? *Something?* [**I'm beggin' ya man!**](http://meta.serverfault.com/questions/3608/how-can-i-ask-better-questions-on-server-fault) (we really need waaaaaay more detail to even begin to speculate about guessing) – voretaq7 Aug 13 '13 at 20:47
  • error message in browser... "server taking to long to respond" or something like that...and in logs, nothing... – user2602350 Aug 14 '13 at 17:42
  • nothing in the server logs? Can't be.... gotta be something... (check `/var/log/messages` if it's actually dying -- there should be an "httpd Exited with signal xxxx" in there...) If there's really nothing try attaching a debugger to Apache. – voretaq7 Aug 14 '13 at 18:07
  • in /var/log/messages i see kernel: pid 19457 (httpd), uid 80: exited on signal 11 but i'm not sure if this is the message i was looking for. ... apache is not dying...the httpd process is still listed in ps but it is not responding in browser... – user2602350 Aug 14 '13 at 18:26

1 Answers1

0

As a Quick answer I would suggest the following for the local pf: (i am using it for SSH brutforce attempts)

# vi /etc/pf.conf

table <bruteforce> persist
block quick from <bruteforce>

pass inet proto tcp from any to any port http flags S/SA keep state (max-src-conn 5, max-src-conn-rate 5/30, overload <bruteforce> flush global)

(inspired form here)

EDIT: your have to enable pf of course :)

# vi /etc/rc.conf

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
Daywalker
  • 495
  • 5
  • 25