Thanks again Reindl :).

Kind regards


2013/9/19 Reindl Harald <h.reindl@thelounge.net>
i posted my iptables rules many times on several lists

you need to adjust the variables and test it in your environment
but that is from a production infrastructure with weekly audits

"iptables -A" may work with "iptables -I" for connlimit, wherever
i took it it was written that way and did not work, but that maybe
is caused by the way my whole wirewall rules are generated in a large
shell-script distriibuted over 20 machines with if-blocks on hostname
___________________________________

there are basically *two* rule-blocks

* max connections per 2 seconds and IP
* max active connections per IP
* the echo starts the rule-block
* any other line starts with "iptables"
* so anything wrapped in the mail not starting with echo/iptables belongs to the previous one

RATE_CONTROL_MAX="150"
CONNECTION_MAX="50"
echo "DOS-PROTECTION: not more than $RATE_CONTROL_MAX new connections per two seconds and client-ip"
iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --set
iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2
--hitcount $RATE_CONTROL_MAX -j DROP
iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --update --seconds 2
--hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-prefix "Firewall Rate-Control: "
iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --set
iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update
--seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP
iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate NEW -m recent --name udpflood --update
--seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-prefix "Firewall Rate-Control: "
echo "DOS-PROTECTION: not more than $CONNECTION_MAX parallel connections to port 80/443"
iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above $CONNECTION_MAX -m limit --limit 100/h -j LOG --log-prefix "Firewall Slowloris: "
iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above $CONNECTION_MAX -j DROP

Am 19.09.2013 10:38, schrieb Jose Pablo Valcárcel Lázaro:
> iptables v1.4.2: Unknown arg `(null)'
> Try `iptables -h' or 'iptables --help' for more information.
>
> As you see he had problems when he tried to apply those rules, so I kept looking for some similar rules and I find
> it when I saw a prevention amplification dns attack article here: http://blog.rootshell.ir/
>
> Straight to iptables snippet code from that link I see these lines:
> iptables -A  INPUT -p udp -m udp --dport 53  -m string --hex-string "|0000ff0001|"  --algo bm --from 48 --to 65535
>   -m recent --set --name dnsanyquery  --rsource
> iptables -A INPUT -p udp -m udp --dport 53   -m string --hex-string  "|0000ff0001|" --algo bm --from 48 --to 65535
>   -m recent --rcheck  --seconds 60 --hitcount 5 --name dnsanyquery --rsource   -j DROP
>
> So finally from that rules I guess some one could modify it in order to block brute-force attacks not only with
> mod_security rules :) :
>
> I haven´t tested it but if someone in a development environment could try and use it I would thankful to hear that
> works!!


------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/