Hello,
up to CentOS 5.3 it was possible, to control new ip connections by
"recent", "seconds" and "hitcount"
-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80
-A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount
1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: "
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent
--update --seconds 60 --hitcount 1000 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
so that
- short time high new connections rate for the web server where
accepted, but not over a longer time.
E.g. CentOS 5.8 or CentOS 6.2 accept only
-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80
-A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount
15 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: "
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent
--update --seconds 1 --hitcount 15 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
So a complex web page with many small icons e.g. webmail pages initiate
the log in line 2 and drop in line 3 .
hitcount does not accept values of 25 or above:
[root@server ~]# iptables -A INPUT -m state --state NEW -m recent --set
-p tcp --dport 80
[root@server~]# iptables -A INPUT -m state --state NEW -m recent
--update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix
"FW DROP IP Flood: "
iptables: Unknown error 4294967295
what can i do to protect the web server? Is there any any configuration
parameter to increase the values for hitcount?
Best regards Helmut Drodofsky
--
Viele Grüße
Helmut Drodofsky
Internet XS Service GmbH
Heßbrühlstraße 15
70565 Stuttgart
Geschäftsführung
Dr.-Ing. Roswitha Hahn-Drodofsky
HRB 21091 Stuttgart
USt.ID: DE190582774
Tel. 0711 781941 0
Fax: 0711 781941 79
Mail: info@xxxxxxxxxxxxxx
www.internet-xs.de
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
