On 2012/01/17 19:56, Dave Stevens wrote:
Quoting Joe Zeff <joe@xxxxxxx>:
On 01/17/2012 07:40 PM, Dave Stevens wrote:
I have a vps that has been repeatedly hit with a ddos attack. The ISP
has given me new IP addresses several times but every time I update the
DNS records the attack resumes within hours. This is not yet a
production site but I need it to be, sooner rather than later.
Can anyone suggest reading or strategies for dealing with this?
Dave
Have you considered using Fail2ban? See
http://www.fail2ban.org/wiki/index.php/Main_Page
Not familiar with it but will check it out, thanks
This is a set if iptables rules that essentially "deals" with packets that
come in too fast. Anything more than one attempt in one minute is logged and
rejected. You can also forgo logging and DROP the packet if you wish. (This
specifically drops ssh packets. But it can be triggered by almost any attempt
to connect to your system, whether it fails or not.) Got no logging drop
the second line and its continuations. To DROP instead of REJECT change
the third line's REJECT to DROP.
iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j LOG --log-prefix 'SSH REJECT: ' \
--log-level info
iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack \
--rcheck --seconds 60 --hitcount 2 -j REJECT --reject-with tcp-reset
If the normal traffic to the site is really light 180 seconds works nice.
If it's quite light 60 seconds is fine. If it's modest perhaps 10 seconds
is OK. I'd not use it on a site with Google level traffic, of course.
{^_^}
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
