RE: fail2ban

["Perry B. Whelan" <perry () commercev3 com>]

Kai,

You could consider using low-level kernel level parameters, provided by
netfilter (if Linux), to limit the traffic before ever reaching your
application..:

# Limit the number of incoming tcp connections
$IPTABLES -N SYN_FLOOD
$IPTABLES -A INPUT -p tcp -i $IF0 -s $ANY -d $IP0 -m multiport --dport
80,443 --syn -j SYN_FLOOD

# Accounting by IP
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -m limit --limit 30/s --limit-burst
60 -j RETURN

# Catchall to shape SYN_FLOOD
$IPTABLES -A SYN_FLOOD -m limit --limit 30/s --limit-burst 60 -j RETURN

# Simple logging
$IPTABLES -A SYN_FLOOD -j LOG \
        --log-prefix "IDS_SYN Flood: "

# If met, DROP in an accounted fashion...
$IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -j DROP

# Catchall to DROP
$IPTABLES -A SYN_FLOOD -j DROP


Regards,
Perry


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Kai Witzke
Sent: Thursday, October 21, 2010 10:41 AM
To: webappsec () securityfocus com
Subject: fail2ban

Hey everybody!

I have some serious problems with flooding attacks to my apache2. No
problems with logins oder syn floods, just a huge amount of simple
requests to my server from the same ip. Anyone got a nice howto on that
or maybe a nice regex prepared for counting such requests and blocking
the greedy ones?

thanks in advance
Kai




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------