Results 1 to 5 of 5
  1. #1
    Join Date
    Jul 2005
    Posts
    55

    iptables automatic timed bans

    I have a website that from time to time gets DDoS (usually with port 80 GET requests since I have everything except port 80 and 443 set to DROP in iptables). My problem is that as these attacks grow in size, I would like iptables to be able to dynamically ban ip's that are connected say more than 50 times within 30 seconds and then unban them again after say 10-20 minutes (to not keep huge iptable chains to clog valid incoming connections before they can reach the server).

    I have tried several scripts that people have that use commands like:
    netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    in a cron every minute and then have nice banning and unbanning and even email the administrator with detail features (e.g. DoS-Deflate, which is very nice but a little out of date, as it uses APF or IPT). Although I would not mind editing this very nice script to run every 15-30 seconds instead of every minute (smallest time unit capable with cron?) and to use the new iptables commands instead, but I was under the impression that this sort of functionality was already built into the new version of iptables. Am I wrong about this?

    Are there any other suggestions for this sort functionality? Any input would be greatly appreciated.

  2. #2
    Join Date
    Jul 2009
    Posts
    69
    You may want to try DDoS-Deflate. It's free, and is known as the most reliable unpaid software to mitigate attacks.

    http://deflate.medialayer.com/

    You can customize the number of connections before a ban, to use APF or iptables, ban length etc. by running

    pico /usr/local/ddos/ddos.conf

    after installation. You can also run it manually by using

    sh /usr/local/ddos/ddos.sh

    Edit: sorry, didn't see the part where you didn't want to use this.
    Last edited by TimC; 10-02-2009 at 02:10 PM.

  3. #3
    Join Date
    Jul 2005
    Posts
    55
    I don't mind using this software, it actually is pretty slick. I was just wondering if there was some functionality built into iptables or if I should go about modifying DoS-Deflate to suit my specific needs.

    I also had a question about the whitelisting feature (in ignore.ip.list), it seems you can only add one IP address per line, but i need to whitelist ranges like 10.0.0.0/8 and there seems to be no documentation anywhere about how to do things like this.

  4. #4
    Join Date
    Jul 2009
    Posts
    69
    You can change the setting in DoS-Deflate to use iptables, rather than APF, if that is what you're after.

  5. #5
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    Quote Originally Posted by cipherus View Post
    I would like iptables to be able to dynamically ban ip's that are connected say more than 50 times within 30 seconds and then unban them again after say 10-20 minutes (to not keep huge iptable chains to clog valid incoming connections before they can reach the server).
    It's possible as, by default, iptables uses the 'recent' module which can keep track of IPs by saving them in one or more lists (the 'limit' module can't).
    However, if you want to check for up to 50 connections per IP, you will have to increase the ip_pkt_list_tot value (that is the '--hitcount' parameter) as it is limited by default to 20.

    You can check its current value with the command :
    Code:
    # cat /sys/module/ipt_recent/parameters/ip_pkt_list_tot
    In newer kernels, it was renamed 'xt_recent' :
    Code:
    # cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

Similar Threads

  1. after flush+zero iptables, will a new iptables ban work?
    By Tertsi in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-06-2008, 12:04 AM
  2. Bestofdata : Automatic Cancel and Automatic Data Deletion !!!
    By macgyvers in forum Dedicated Server
    Replies: 65
    Last Post: 12-19-2006, 07:26 PM
  3. automatic insert ip to iptables (drop)
    By Adwis in forum Hosting Security and Technology
    Replies: 3
    Last Post: 01-24-2006, 12:57 AM
  4. How to find IPtables (I can't restart iptables without a reboot)
    By DSD in forum Hosting Security and Technology
    Replies: 13
    Last Post: 12-28-2005, 03:51 PM
  5. I need automatic email sender & automatic email finder for my personal host.
    By sanbad in forum Hosting Software and Control Panels
    Replies: 10
    Last Post: 09-04-2005, 10:16 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •