Le mar 01/04/2003 à 19:34, Eric Marchionni a écrit : > does anybody know how to drop packets with > destination-port 80 after a limit of connections > has been reached? > i'd like to deny access for the attacker as soon > as a cgi-scan has been detected. See patch-o-matic iplimit match : http://www.netfilter.org/documentation/pomlist/pom-base.html#iplimit | Author: Gerd Knorr <kraxel@xxxxxxxxxxx> | Status: ItWorksForMe[tm] | | This adds CONFIG_IP_NF_MATCH_IPLIMIT match allows you to restrict the | number of parallel TCP connections to a server per client IP address | (or address block). | | Examples: | | # allow 2 telnet connections per client host | iptables -p tcp --syn --dport 23 -m iplimit --iplimit-above 2 -j REJECT | | # you can also match the other way around: | iptables -p tcp --syn --dport 23 -m iplimit ! --iplimit-above 2 -j ACCEPT | | # limit the nr of parallel http requests to 16 per class C sized | # network (24 bit netmask) | iptables -p tcp --syn --dport 80 -m iplimit --iplimit-above 16 \ | --iplimit-mask 24 -j REJECT I think it exactly fits your needs ;) Note that someone has recently posted a patch to extend iplimit match to UDP. -- Cédric Blancher <blancher@xxxxxxxxxxxxxxxxxx> Consultant en sécurité des systèmes et réseaux - Cartel Sécurité Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99 PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
