Damian Myerscough wrote:
On 25/05/07, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote:
seth vidal wrote:
> Here's what I've used in the past.
>
> It allows connections for certain ports/places and then drops
everything
> else as the last item.
>
> http://linux.duke.edu/~skvidal/misc/iptables-template
>
> it's pretty painless, really.
>
> If we want to add explicit outbound rules, too, that's fine, but I'd
> advise enabling logging b/c that stuff is easy to get wrong. :)
>
> This is just a sample but it's simple and straightforward.
>
Excellent. I much prefer simple firewall rules where possible (its not
always possible :)
One RFE:
Could we have a commented section in there to rate limit some of the
open ports (http immediately come to mind)? That way if we get slammed
again we don't have to go figure out what we've done in the past we can
just uncomment it.
What do you think?
-Mike
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Hey Mike,
For Apache why not deploy the mod_evasive module. What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide
evasive action in the event of an HTTP DoS or DDoS attack or brute
force attack. It is also designed to be a detection and network
management tool, and can be easily configured to talk to ipchains,
firewalls, routers, and etcetera. mod_evasive presently reports abuses
via email and syslog facilities.
I have finished university for the summer, would you like me to look
into deploying this
next week? Does anyone have any objections to this?
Is mod_evasive in extras/epel?
-Mike
