NetTipsDB

I’ve googled around, and found a few articles that might help solving a few problem that you most probably encounter if you’re hosting your own server on the internet, that are DOS and brute force attack. In this particular example, we will use iptables, to block Denial-of-Service and brute force attack.

IPtables have a special argument, limit and limit-burst that allow us to specify how much connection can be made to the host.

Blocking excessive syn packet

iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

* This code limit only 1 syn packet allowed from one host in 1 second.

Blocking brute force attack (on ssh server)

iptables -I INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

Limiting ICMP ping request

iptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP

The example above will limit only 1 ping connection to be made to the host in 1 second, and log it.

You should modify the rule accordingly to your environment. You may run your ssh server on another port, or you may want to implement it on FTP server as well. This is a few rules that you don’t want to miss out of your firewall script.

No related posts.