| 1 |
Justin wrote: |
| 2 |
|
| 3 |
> Try fail2ban |
| 4 |
|
| 5 |
Alternatively, you can use the builtin iptables connection rate limiter. |
| 6 |
|
| 7 |
Excerpt from my home-grown firewall script: |
| 8 |
|
| 9 |
------------ |
| 10 |
for port in $INPUT_LIMITER_TCPPORTS; do |
| 11 |
$IPT_IN -p tcp --dport $port -m state --state NEW -m \ |
| 12 |
recent --name "limit-${port}" --set |
| 13 |
$IPT_IN -p tcp --dport $port -m state --state NEW -m \ |
| 14 |
recent --name "limit-${port}" --rcheck --seconds |
| 15 |
$INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j \ |
| 16 |
LOG --log-prefix "limit-rjct-${port} " |
| 17 |
$IPT_IN -p tcp --dport $port -m state --state NEW -m \ |
| 18 |
recent --name "limit-${port}" --rcheck --seconds |
| 19 |
$INPUT_LIMITER_TIME --hitcount $INPUT_LIMITER_COUNT -j REJECT \ |
| 20 |
$IPT_IN -p tcp --dport $port -m state --state NEW -j |
| 21 |
LOG --log-level notice --log-prefix "limit-acpt-${port} " \ |
| 22 |
$IPT_IN -p tcp --dport $port -m state --state NEW -j ACCEPT |
| 23 |
done |
| 24 |
---------------- |
| 25 |
|
| 26 |
It limits the number of new connections on each port in |
| 27 |
INPUT_LIMITER_TCPPORTS from any individual host to INPUT_LIMITER_COUNT |
| 28 |
within INPUT_LIMITER_TIME. |
| 29 |
|
| 30 |
More precisely, it does the following: |
| 31 |
|
| 32 |
1. When a new connection is established by a previously unkown host, set a |
| 33 |
mark (first rule). |
| 34 |
2. When the number of marks from that host has exceeded the specified upper |
| 35 |
connection limit, reject the connection (third rule), you could also drop. |
| 36 |
3. Otherwise, accept the connection (fifth rule) |
| 37 |
|
| 38 |
Rules numbers 2 and 4 are for logging purposes only, and have no impact on |
| 39 |
functionality. By using --log-prefix, you can use your logging daemon's |
| 40 |
filtering capabilities to sort these requests into new |
| 41 |
|
| 42 |
The count is reset after INPUT_LIMITER_TIME seconds have passed. Thus, after |
| 43 |
exceeding INPUT_LIMITER_COUNT, you have to wait for $INPUT_LIMITER_SECONDS |
| 44 |
before a new attempt. |
| 45 |
|
| 46 |
Oh yeah, $IPT_IN is shorthand for "${IPTABLES} -t filter -A INPUT", where |
| 47 |
${IPTABLES} points to the iptables executable, of course. |
| 48 |
|
| 49 |
The advantage of this solution is that it does not rely on log files parsing |
| 50 |
or any other magic, it simply counts the number of connections from each |
| 51 |
host on a specific port. It it does very easy on CPU and very stable, it |
| 52 |
continues working as long as your kernel works. |
| 53 |
|
| 54 |
The disadvantage is that it does not rely on log files parsing or any other |
| 55 |
magic, it simply counts the number of connections from each host on a |
| 56 |
specific port. It cannot do anything clever. Also, your iptables -L output |
| 57 |
gets a bit cluttered by adding five rules for every port you want to |
| 58 |
rate-limit. |
| 59 |
|
| 60 |
Anno. |
| 61 |
|
| 62 |
-- |
| 63 |
gentoo-user@l.g.o mailing list |
Archives