WebApp Sec mailing list archives
Re: fail2ban
From: Rafel Ivgi <rafelivgi () gmail com>
Date: Tue, 26 Oct 2010 08:17:50 +0200
Hi Kai, If it is a plain old SYN attack, use: echo 1 > /proc/sys/net/ipv4/tcp_syncookies If the IP doesn't change and you just want to block it, use: iptables -I INPUT -s <bad_guy's_ip> -j DROP If the attack is more like a SYN attack with a little HTTP logic I suggest you to start with mod_evasive for apache2. An apache module - mod_evasive - it counts, "learns" and blocks the specific kind of attack you described: Protecting Apache against DOS attack with mod_evasive http://www.novell.com/coolsolutions/feature/19958.html Install mod_evasive for Apache to Prevent DDOS Attacks http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/ An Apache .htaccess file: Simple solution on HTTP layer (this will not deny the TCP connection itself): <Limit GET HEAD PUT POST DELETE OPTIONS PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK PATCH> SetHandler server-status order allow,deny allow from all deny from <bad_guy's_ip> </Limit> An apache module - mod_rewrite - use from an .htaccess file: This should mostly be used if the IP is changing but stays in the same subnet patterns xxx.yyy.zzz RewriteEngine On RewriteCond %{REMOTE_ADDR} ^xxx\.yyy\.zzz\.(6[4-9]|7[0-9]|8[0-9]|9[0-9])$ [OR] RewriteCond %{REMOTE_ADDR} ^xxx\.yyy\.zzz\.1([0-1][0-9]|2[0-8])$ RewriteRule .* – [F] An Apache module - mod_security: SecFilterSelective "REMOTE_ADDR" "^<bad_guy's_ip>$" http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security/ In-Depth: Apache configuration Decrease the Keep-Alive Time Window KeepAliveTimeout 10 Limit the amount of type someone can stay connected to the server with an existing connection MaxKeepAliveRequests 500 Limit the amount of data a client can post in the HTTP request/XML Request body, example of 100kb: LimitRequestBody 102400 LimitXMLRequestBody 102400 Limit the amount of fields/parameters a client can post in the HTTP request body: LimitRequestFields 50 Limit the maximum size of each field/parameter a client can post in the HTTP request body: LimitRequestFieldSize 1024 Limit the maximum length allowed for a URI: LimitRequestLine 2048 Good Luck! Rafel. On Thu, Oct 21, 2010 at 5:40 PM, Kai Witzke <security () gaark de> wrote:
Hey everybody! I have some serious problems with flooding attacks to my apache2. No problems with logins oder syn floods, just a huge amount of simple requests to my server from the same ip. Anyone got a nice howto on that or maybe a nice regex prepared for counting such requests and blocking the greedy ones? thanks in advance Kai This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- fail2ban Kai Witzke (Oct 25)
- Re: fail2ban Adrian J Milanoski (Oct 25)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban primehaxor (Oct 26)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban Jamuse (Oct 26)
- Re: fail2ban Rafel Ivgi (Oct 26)
- Re: fail2ban Dale Stirling (Oct 26)
- RE: fail2ban Perry B. Whelan (Oct 26)
- Re: fail2ban robert (Oct 28)
- Re: fail2ban Adrian J Milanoski (Oct 28)
- <Possible follow-ups>
- Re: fail2ban Alexandro Silva (Oct 31)
- Re: fail2ban Adrian J Milanoski (Oct 25)