iptables templates
Damian Myerscough
damian.myerscough at gmail.com
Fri May 25 14:14:45 UTC 2007
On 25/05/07, Mike McGrath <mmcgrath at redhat.com> wrote:
> seth vidal wrote:
> > Here's what I've used in the past.
> >
> > It allows connections for certain ports/places and then drops everything
> > else as the last item.
> >
> > http://linux.duke.edu/~skvidal/misc/iptables-template
> >
> > it's pretty painless, really.
> >
> > If we want to add explicit outbound rules, too, that's fine, but I'd
> > advise enabling logging b/c that stuff is easy to get wrong. :)
> >
> > This is just a sample but it's simple and straightforward.
> >
>
> Excellent. I much prefer simple firewall rules where possible (its not
> always possible :)
>
> One RFE:
>
> Could we have a commented section in there to rate limit some of the
> open ports (http immediately come to mind)? That way if we get slammed
> again we don't have to go figure out what we've done in the past we can
> just uncomment it.
>
> What do you think?
>
> -Mike
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>
Hey Mike,
For Apache why not deploy the mod_evasive module. What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide
evasive action in the event of an HTTP DoS or DDoS attack or brute
force attack. It is also designed to be a detection and network
management tool, and can be easily configured to talk to ipchains,
firewalls, routers, and etcetera. mod_evasive presently reports abuses
via email and syslog facilities.
I have finished university for the summer, would you like me to look
into deploying this
next week? Does anyone have any objections to this?
--
Regards,
Damian
More information about the Fedora-infrastructure-list
mailing list