WebApp Sec mailing list archives
Re: fail2ban
From: robert () webappsec org
Date: Wed, 27 Oct 2010 18:02:09 -0400 (EDT)
Perry is correct. Using firewall based filtering is the ideal solution so as not to use web server resources. - Robert A. http://www.cgisecurity.com/ http://www.webappsec.org/ http://www.qasec.com/
Kai, You could consider using low-level kernel level parameters, provided by netfilter (if Linux), to limit the traffic before ever reaching your application..: # Limit the number of incoming tcp connections $IPTABLES -N SYN_FLOOD $IPTABLES -A INPUT -p tcp -i $IF0 -s $ANY -d $IP0 -m multiport --dport 80,443 --syn -j SYN_FLOOD # Accounting by IP $IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -m limit --limit 30/s --limit-burst 60 -j RETURN # Catchall to shape SYN_FLOOD $IPTABLES -A SYN_FLOOD -m limit --limit 30/s --limit-burst 60 -j RETURN # Simple logging $IPTABLES -A SYN_FLOOD -j LOG \ --log-prefix "IDS_SYN Flood: " # If met, DROP in an accounted fashion... $IPTABLES -A SYN_FLOOD -s $ANY -d $IP0 -j DROP # Catchall to DROP $IPTABLES -A SYN_FLOOD -j DROP Regards, Perry -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kai Witzke Sent: Thursday, October 21, 2010 10:41 AM To: webappsec () securityfocus com Subject: fail2ban Hey everybody! I have some serious problems with flooding attacks to my apache2. No problems with logins oder syn floods, just a huge amount of simple requests to my server from the same ip. Anyone got a nice howto on that or maybe a nice regex prepared for counting such requests and blocking the greedy ones? thanks in advance Kai This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus -------------------------------------- This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- fail2ban Kai Witzke (Oct 25)
- Re: fail2ban Adrian J Milanoski (Oct 25)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban primehaxor (Oct 26)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban Jamuse (Oct 26)
- Re: fail2ban Rafel Ivgi (Oct 26)
- Re: fail2ban Dale Stirling (Oct 26)
- RE: fail2ban Perry B. Whelan (Oct 26)
- Re: fail2ban robert (Oct 28)
- Re: fail2ban Adrian J Milanoski (Oct 28)
- <Possible follow-ups>
- Re: fail2ban Alexandro Silva (Oct 31)
- Re: fail2ban Adrian J Milanoski (Oct 25)