2

We're using HAproxy as a front end load balancer / proxy and are looking for solutions to block random IP addresses from jamming the cluster.

Is anyone familiar with a conf for HAProxy that can block requests if they exceed a certain threshold from a single IP within a defined period of time. Or can anyone suggest a software solution which could be placed in front of HAProxy to handle this kind of blocking.

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
user35647
  • 121
  • 4

3 Answers3

2

fail2ban is able to add firewall (iptables) rules to block traffic in response to logfile entries so if you can make HAProxy write log entries for requests, fail2ban can rate limit for you.

dotplus
  • 1,230
  • 7
  • 12
1

Just use regular IPtables. Example below is for ssh, hopefully you get the idea.

from http://www.debian-administration.org/articles/187

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

There is also "hashlimit" module, but I haven't tried that

Konstantin Antselovich
  • 11
  • 1
0

Depending on whether you wish for the denied ips to be retained over reboots or not. These routes are lost during a reboot (unless you add to rc.local etc). But in a pinch when I have had nasty people hammering at some of our systems I just add a null route to the haproxy server.

route add -host[net] Target[/prefix] gw 127.0.0.1

This is fast, does not require editing iptables and can be pulled simply by removing the route.

MartinP
  • 1
  • 2