Linux Limit number of connections [DoS prevention]

[chojrak]

iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

I did that and people are having issues with MC'ing, and sometimes even getting into the website..this seems more problematic than helpful..your first suggestion had an issue with the -SYN command.
help plx!

Simply increase connections/timeout numbers?

 

[Slain]

Simply increase connections/timeout numbers?

Yes I did think of that too, thanks though.

I will when I get home!

 

[bolero]

[B]
root@199:~# /etc/init.d/iptables save
-bash: /etc/init.d/iptables: Permission denied[/B]

Help please...

 

[kito2]

Very Nice stian, check your pm inbox a quick help here:

tibia:~# iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
tibia:~# iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP
tibia:~# /etc/init.d/iptables save
-bash: /etc/init.d/iptables: No existe el fichero o el directorio
tibia:~# /etc/rc.d/iptables save
-bash: /etc/rc.d/iptables: No existe el fichero o el directorio

No existe el fichero o directorio -- The folder or file doesn't exist.


Edit: Added a file called iptables to /etc/init.d/ and when saving the file keep being empty.

It doesn't work when saving it, and when restarting the machine, I have to type this DDOS commands again.

Edit 2: Also, after adding this commands, my online status on website went off and now show server offline =( (using modern aac).

Edit 3: Also, if I type
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 50 -j DROP
It says
iptables: Invalid argument

 

[stian]

Use the debian hack I posted.

And use the first or the last, not both of them. A fix for modern is to just add this:

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

I did that and people are having issues with MC'ing, and sometimes even getting into the website..this seems more problematic than helpful..your first suggestion had an issue with the -SYN command.
help plx!

Increase the limits to suit your needs, it's a good way to limit MC too (you can always define the limit per port using "-p tcp --dport 7172").

Website are having problems simply because they open a trillion connections to load images and such.

 

[kito2]

tibia:~# iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
tibia:~# iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 100 -j DROP
iptables: Invalid argument

I changed it to 100 hitcounts and saying invalid argument, what is wrong?

 

[kito2]

I would really apreciate help with that "argument".

 

[stian]

Any value over 20 gives "Invalid argument". But you can think like this:

hitcount / seconds = connections
So:
100 / 3 = 33
20 / 0.6 = 33
Or use the other command.

If you really need that command you need to:
Create the file /etc/modprobe.d/options (if it is not already there) and add the following text to track 100 (instead of 20) timestamps per address.

options ipt_recent ip_pkt_list_tot=100

Reload the module (The change is saved, so you don't have to do this next time):

rmmod ipt_recent
modprobe ipt_recent

A bit more ram will be used per IP that connect to you, tho it won't affect you much if you got any free memory

 

[Kayan]

root@bido-desktop:/home/bido# iptables -I INPUT 1 -p tcp –syn -j conn-flood
Bad argument `–syn'
Try `iptables -h' or 'iptables --help' for more information.
root@bido-desktop:/home/bido# iptables -A conn-flood -m limit –limit 7/s –limit-burst 20 -j RETURN
Bad argument `–limit'
Try `iptables -h' or 'iptables --help' for more information.
root@bido-desktop:/home/bido# iptables -A conn-flood -j DROP
root@bido-desktop:/home/bido# iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
root@bido-desktop:/home/bido# iptables -A INPUT -p icmp -j DROP 
root@bido-desktop:/home/bido#

UP

 

[stian]

Ehm, use -- not -.

 

[kito2]

Any value over 20 gives "Invalid argument". But you can think like this:

hitcount / seconds = connections
So:
100 / 3 = 33
20 / 0.6 = 33
Or use the other command.

If you really need that command you need to:
Create the file /etc/modprobe.d/options (if it is not already there) and add the following text to track 100 (instead of 20) timestamps per address.


Reload the module (The change is saved, so you don't have to do this next time):


A bit more ram will be used per IP that connect to you, tho it won't affect you much if you got any free memory

tibia:~# rmmod ipt_recent
ERROR: Module ipt_recent does not exist in /proc/modules
tibia:~# modprobe ipt_recent
tibia:~#

:S:S:S I made that file and got that error =(

 

[stian]

It's not a error, you se that you hadn't loaded the module at all. But now it is loaded

 

[kito2]

Your using Debian?

Try this "hack":

Edit / make a file named:
/etc/network/if-pre-up.d/iptables
put:


chmod +x /etc/network/if-pre-up.d/iptables

So this are the steps on debian:

1) First commands.
2) iptables-save > /etc/iptables.rules
3) Create /etc/network/if-pre-up.d/iptables and put:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules
4) chmod +x /etc/network/if-pre-up.d/iptables

That's right?

 

[stian]

Jupp

 

[kito2]

Ok thanks, but now the online status at website stays offline and the ot is online :S

 

[stian]

Inside config.php, there is a cache time. Make sure it's high enough.

Or add this:
iptables -I INPUT 1 -s 127.0.0.1 -j ACCEPT

 

[Bosphorus]

Only to Help. (Debian)

First.

cd /etc/init.d/
touch firewall.sh
vi firewall.sh       (Or your editor)

Second, copy all this lines and paste on firewall.sh

#!/bin/bash

#Starting Modules
modprobe ipt_recent

#Firewall
iptables -N conn-flood
iptables -I INPUT 1 -p tcp –syn -j conn-flood
iptables -A conn-flood -m limit –limit 7/s –limit-burst 20 -j RETURN
iptables -A conn-flood -j DROP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

To save the editor.

:wq

Make the firewall executable

chmod +x firewall.sh

Now lets the firewall start with boot.

update-rc.d firewall.sh defaults

Done.

I accept with your firewall configurationn Stian.
If anything wrong, post here

Cya

Don Daniello have rules to firewall (Anti-DDOS) too.

echo "Block TCP-CONNECT scan attempts (SYN bit packets)"
iptables -A INPUT -p tcp --syn -j DROP
echo "Block TCP-SYN scan attempts (only SYN bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH SYN -j DROP
echo "Block TCP-FIN scan attempts (only FIN bit packets)"
iptables -A INPUT -m conntrack --ctstate NEW -p tcp --tcp-flags SYN,RST,ACK,FIN,URG,PSH

I never test this rules.

 

[kito2]

Thanks stian!

 

[kito2]

Inside config.php, there is a cache time. Make sure it's high enough.

Or add this:
iptables -I INPUT 1 -s 127.0.0.1 -j ACCEPT

And how to save it with the others configurations too?

iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP
iptables -I INPUT 1 -s 127.0.0.1 -j ACCEPT


And also how to increase the max conecctions at port 80?

 

[stian]

Got to do this:

http://otland.net/f138/limit-number-connections-per-ip-dos-prevention-103408/#post1044277

Put it higher then 20.