1 |
Justin wrote: |
2 |
|
3 |
> Try fail2ban |
4 |
|
5 |
Alternatively, you can use the builtin iptables connection rate limiter. |
6 |
|
7 |
Excerpt from my home-grown firewall script: |
8 |
|
9 |
------------ |
10 |
for port in $INPUT_LIMITER_TCPPORTS; do |
11 |
$IPT_IN -p tcp --dport $port -m state --state NEW -m \ |
12 |
recent --name "limit-${port}" --set |
13 |
$IPT_IN -p tcp --dport $port -m state --state NEW -m \ |
14 |
recent --name "limit-${port}" --rcheck --seconds |
15 |
$INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j \ |
16 |
LOG --log-prefix "limit-rjct-${port} " |
17 |
$IPT_IN -p tcp --dport $port -m state --state NEW -m \ |
18 |
recent --name "limit-${port}" --rcheck --seconds |
19 |
$INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j REJECT \ |
20 |
$IPT_IN -p tcp --dport $port -m state --state NEW -j |
21 |
LOG --log-level notice --log-prefix "limit-acpt-${port} " \ |
22 |
$IPT_IN -p tcp --dport $port -m state --state NEW -j ACCEPT |
23 |
done |
24 |
---------------- |
25 |
|
26 |
It limits the number of new connections on each port in |
27 |
INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT |
28 |
within INPUT_LIMITER_TIME. |
29 |
|
30 |
More precisely, it does the following: |
31 |
|
32 |
1. When a new connection is established by a previously unkown host, set a |
33 |
mark (first rule). |
34 |
2. When the number of marks from that host has exceeded the specified upper |
35 |
connection limit, reject the connection (third rule), you could also drop. |
36 |
3. Otherwise, accept the connection (fifth rule) |
37 |
|
38 |
Rules numbers 2 and 4 are for logging purposes only, and have no impact on |
39 |
functionality. By using --log-prefix, you can use your logging daemon's |
40 |
filtering capabilities to sort these requests into new |
41 |
|
42 |
The count is reset after INPUT_LIMITER_TIME seconds have passed. Thus, after |
43 |
exceeding INPUT_LIMITER_COUNT, you have to wait for $INPUT_LIMITER_SECONDS |
44 |
before a new attempt. |
45 |
|
46 |
Oh yeah, $IPT_IN is shorthand for "${IPTABLES} -t filter -A INPUT", where |
47 |
${IPTABLES} points to the iptables executable, of course. |
48 |
|
49 |
The advantage of this solution is that it does not rely on log files parsing |
50 |
or any other magic, it simply counts the number of connections from each |
51 |
host on a specific port. It it does very easy on CPU and very stable, it |
52 |
continues working as long as your kernel works. |
53 |
|
54 |
The disadvantage is that it does not rely on log files parsing or any other |
55 |
magic, it simply counts the number of connections from each host on a |
56 |
specific port. It cannot do anything clever. Also, your iptables -L output |
57 |
gets a bit cluttered by adding five rules for every port you want to |
58 |
rate-limit. |
59 |
|
60 |
Anno. |
61 |
|
62 |
-- |
63 |
gentoo-user@l.g.o mailing list |