WebApp Sec mailing list archives
Re: fail2ban
From: Rafel Ivgi <rafelivgi () gmail com>
Date: Tue, 26 Oct 2010 08:17:50 +0200
Hi Kai,
If it is a plain old SYN attack, use:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
If the IP doesn't change and you just want to block it, use:
iptables -I INPUT -s <bad_guy's_ip> -j DROP
If the attack is more like a SYN attack with a little HTTP logic I
suggest you to start with mod_evasive for apache2.
An apache module - mod_evasive - it counts, "learns" and blocks the
specific kind of attack you described:
Protecting Apache against DOS attack with mod_evasive
http://www.novell.com/coolsolutions/feature/19958.html
Install mod_evasive for Apache to Prevent DDOS Attacks
http://www.mydigitallife.info/2007/08/15/install-mod_evasive-for-apache-to-prevent-ddos-attacks/
An Apache .htaccess file:
Simple solution on HTTP layer (this will not deny the TCP connection itself):
<Limit GET HEAD PUT POST DELETE OPTIONS PROPFIND PROPPATCH MKCOL
COPY MOVE LOCK UNLOCK PATCH>
SetHandler server-status
order allow,deny
allow from all
deny from <bad_guy's_ip>
</Limit>
An apache module - mod_rewrite - use from an .htaccess file:
This should mostly be used if the IP is changing but stays in the
same subnet patterns xxx.yyy.zzz
RewriteEngine On
RewriteCond %{REMOTE_ADDR} ^xxx\.yyy\.zzz\.(6[4-9]|7[0-9]|8[0-9]|9[0-9])$ [OR]
RewriteCond %{REMOTE_ADDR} ^xxx\.yyy\.zzz\.1([0-1][0-9]|2[0-8])$
RewriteRule .* – [F]
An Apache module - mod_security:
SecFilterSelective "REMOTE_ADDR" "^<bad_guy's_ip>$"
http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security/
In-Depth: Apache configuration
Decrease the Keep-Alive Time Window
KeepAliveTimeout 10
Limit the amount of type someone can stay connected to the server
with an existing connection
MaxKeepAliveRequests 500
Limit the amount of data a client can post in the HTTP request/XML
Request body, example of 100kb:
LimitRequestBody 102400
LimitXMLRequestBody 102400
Limit the amount of fields/parameters a client can post in the HTTP
request body:
LimitRequestFields 50
Limit the maximum size of each field/parameter a client can post in
the HTTP request body:
LimitRequestFieldSize 1024
Limit the maximum length allowed for a URI:
LimitRequestLine 2048
Good Luck!
Rafel.
On Thu, Oct 21, 2010 at 5:40 PM, Kai Witzke <security () gaark de> wrote:
Hey everybody! I have some serious problems with flooding attacks to my apache2. No problems with logins oder syn floods, just a huge amount of simple requests to my server from the same ip. Anyone got a nice howto on that or maybe a nice regex prepared for counting such requests and blocking the greedy ones? thanks in advance Kai This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- fail2ban Kai Witzke (Oct 25)
- Re: fail2ban Adrian J Milanoski (Oct 25)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban primehaxor (Oct 26)
- Re: fail2ban Ryan Dewhurst (Oct 26)
- Re: fail2ban Jamuse (Oct 26)
- Re: fail2ban Rafel Ivgi (Oct 26)
- Re: fail2ban Dale Stirling (Oct 26)
- RE: fail2ban Perry B. Whelan (Oct 26)
- Re: fail2ban robert (Oct 28)
- Re: fail2ban Adrian J Milanoski (Oct 28)
- <Possible follow-ups>
- Re: fail2ban Alexandro Silva (Oct 31)
- Re: fail2ban Adrian J Milanoski (Oct 25)