WebApp Sec mailing list archives
Re: fail2ban
From: robert () webappsec org
Date: Wed, 27 Oct 2010 18:02:09 -0400 (EDT)
Perry is correct. Using firewall based filtering is the ideal solution so as not to use web server resources. - Robert A. http://www.cgisecurity.com/ http://www.webappsec.org/ http://www.qasec.com/
Kai,
You could consider using low-level kernel level parameters, provided by
netfilter (if Linux), to limit the traffic before ever reaching your
application..:
# Limit the number of incoming tcp connections
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp -i $IF0 -s $ANY -d $IP0 -m multiport --dport
80,443 --syn -j SYN_FLOOD
# Accounting by IP
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -m limit --limit 30/s --limit-burst
60 -j RETURN
# Catchall to shape SYN_FLOOD
$IPTABLES -A SYN_FLOOD -m limit --limit 30/s --limit-burst 60 -j RETURN
# Simple logging
$IPTABLES -A SYN_FLOOD -j LOG \
--log-prefix "IDS_SYN Flood: "
# If met, DROP in an accounted fashion...
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -j DROP
# Catchall to DROP
$IPTABLES -A SYN_FLOOD -j DROP
Regards,
Perry
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Kai Witzke
Sent: Thursday, October 21, 2010 10:41 AM
To: webappsec () securityfocus com
Subject: fail2ban
Hey everybody!
I have some serious problems with flooding attacks to my apache2. No
problems with logins oder syn floods, just a huge amount of simple
requests to my server from the same ip. Anyone got a nice howto on that
or maybe a nice regex prepared for counting such requests and blocking
the greedy ones?
thanks in advance
Kai
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- fail2ban Kai Witzke (Oct 25)
- Re: fail2ban Adrian J Milanoski (Oct 25)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban primehaxor (Oct 26)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban Jamuse (Oct 26)
- Re: fail2ban Rafel Ivgi (Oct 26)
- Re: fail2ban Dale Stirling (Oct 26)
- RE: fail2ban Perry B. Whelan (Oct 26)
- Re: fail2ban robert (Oct 28)
- Re: fail2ban Adrian J Milanoski (Oct 28)
- <Possible follow-ups>
- Re: fail2ban Alexandro Silva (Oct 31)
- Re: fail2ban Adrian J Milanoski (Oct 25)