Re: [mod-security-users] Working Around Race Conditions in Persistent Storage
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Working Around Race Conditions in Persistent Storage
|
From: Reindl H. <h.r...@th...> - 2016-09-09 08:17:39
|
Am 09.09.2016 um 00:56 schrieb Jose Pablo Valcárcel Lázaro: > In this link you will find a iptables rule for dos prevention: > http://blog.bodhizazen.net/linux/prevent-dos-with-iptables/ > > iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit > --limit 50/minute --limit-burst 200 -j ACCEPT > > "Lets break that rule down into intelligible chunks. > > -p tcp --dport 80 => Specifies traffic on port 80 (Normally Apache, but > as you can see here I am using nginx). > > -m state NEW => This rule applies to NEW connections. > > -m limit --limit 50/minute --limit-burst 200 -j ACCEPT =>This is the > essence of preventing DOS. > > “--limit-burst” is a bit confusing, but in a nutshell 200 new > connections (packets really) are allowed before the limit of 50 NEW > connections (packets) per minute is applied." well 50 connections per minute on a webserver is a joke since a typical site these days has a lot of scripts, images and different people are coming with the same IP trhugh carrier grade NAT on mobile networks :-) frankly there where a reason why i posted *values from production servers* and not soemthing completly unuseable, 50/minute is pretty sure copied from a inbound mailserver and 25 replaced by 80 since there is hardly a service which has a real workload with more connections within a timeframe it also makes no sense to apply that specificly to port 80 0 0 DROP tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 ctstate NEW recent: UPDATE seconds: 2 hit_count: 100 name: DEFAULT side: source mask: 255.255.255.255 0 0 DROP tcp -- * * !192.168.196.0/24 0.0.0.0/0 tcp flags:0x17/0x02 #conn src/32 > 50 0 0 DROP tcp -- * * !192.168.196.0/24 0.0.0.0/0 tcp flags:0x17/0x02 #conn src/24 > 150 0 0 DROP tcp -- * * !192.168.196.0/24 0.0.0.0/0 tcp flags:0x17/0x02 #conn src/16 > 250 0 0 DROP tcp -- * * !192.168.196.0/24 0.0.0.0/0 tcp flags:0x17/0x02 #conn src/8 > 500 echo "DOS-PROTECTION: Nicht mehr als 100 NEUE Verbindungen pro 2-Sekunden/Client-IP" iptables -I INPUT -p tcp ! -i lo -m conntrack --ctstate NEW -m recent --set iptables -I INPUT -p tcp ! -i lo -m conntrack --ctstate NEW -m recent --update --seconds 2 --hitcount 100 -j DROP iptables -I INPUT -p tcp ! -i lo -m conntrack --ctstate NEW -m recent --update --seconds 2 --hitcount 100 -m limit --limit 50/h -j LOG --log-level debug --log-prefix "Firewall Rate-Control: " iptables -I INPUT -p udp ! -i lo -m conntrack --ctstate NEW -m recent --name udpflood --set iptables -I INPUT -p udp ! -i lo -m conntrack --ctstate NEW -m recent --name udpflood --update --seconds 2 --hitcount 100 -j DROP iptables -I INPUT -p udp ! -i lo -m conntrack --ctstate NEW -m recent --name udpflood --update --seconds 2 --hitcount 100 -m limit --limit 50/h -j LOG --log-level debug --log-prefix "Firewall Rate-Control: " echo "DOS-PROTECTION: Nicht mehr als 50 GLEICHZEITIGE Verbindungen pro IP (Slowloris)" iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 50 --connlimit-mask 32 -m limit --limit 50/h -j LOG --log-level debug --log-prefix "Firewall Slowloris mask 32: " iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 50 --connlimit-mask 32 -j DROP echo "DOS-PROTECTION: Nicht mehr als 150 GLEICHZEITIGE Verbindungen pro /24-Netzwerk" iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 150 --connlimit-mask 24 -m limit --limit 50/h -j LOG --log-level debug --log-prefix "Firewall Slowloris mask 24: " iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 150 --connlimit-mask 24 -j DROP echo "DOS-PROTECTION: Nicht mehr als 250 GLEICHZEITIGE Verbindungen pro /16-Netzwerk" iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 250 --connlimit-mask 16 -m limit --limit 50/h -j LOG --log-level debug --log-prefix "Firewall Slowloris mask 16: " iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 250 --connlimit-mask 16 -j DROP echo "DOS-PROTECTION: Nicht mehr als 500 GLEICHZEITIGE Verbindungen pro /8-Netzwerk" iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 500 --connlimit-mask 8 -m limit --limit 50/h -j LOG --log-level debug --log-prefix "Firewall Slowloris mask 8: " iptables -A INPUT -p tcp--syn -m connlimit --connlimit-above 500 --connlimit-mask 8 -j DROP |
