Zitat von AMP Admin <ad...@ampprod.com>:
Does anyone use iptables or something to defend against attacks? Like if x
amount of requests per x amount of time send away. If so I would love some
examples. Thanks!
We use the following :
$IPTABLES -N SMTP-BLOCK
$IPTABLES -A SMTP-BLOCK -m limit --limit 1/m --limit-burst 3 -j LOG
--log-level notice --log-prefix "iptables SMTP-BLOCK "
$IPTABLES -A SMTP-BLOCK -m recent --name SMTPBLOCK --set -j DROP
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent
--name SMTPBLOCK --rcheck --seconds 360 -j SMTP-BLOCK
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent
--name SMTP --set
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -m recent
--name SMTP --rcheck --seconds 60 --hitcount 15 -j SMTP-BLOCK
$IPTABLES -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
It creates some trap for hosts which open too many connections in a
short timeframe. Be aware of the limitations :
- The recent module can only handle a limited number of entries to
compare so if you have high traffic this list may be overflow/cycled
before the offender get caught.
- You must adjust the connection/time to match your needs.
- For larger sites you maybe have to adjust the size of the blocklist.
Regards
Andreas
