Linux Security

Denial Of Service: iptables Defense

Servers sometimes get hit with what are know as DOS attacks. The offending IP address is usually readily available in the logs for the server being hit. If your SSH server is being hit with a bruteforce DOS the easiest thing to do is block the IP using iptables like so:

# iptables -A INPUT -s <offending-ip-address> -j DROP

the above command simply adds a packet filter that blocks all incoming traffic from the offending IP. This will be enough to stop a DOS attack however one may wish to automate the process of  blocking offenders. Note: One must do this with care as to not block people who are just trying to visit your site; depending on the application you’re hosting, you might have to tweak your connection limits to make sure not to do that. Also be aware that there are daemons that use iptables in conjunction with logs to block offending ip addresses like fail2ban. We will be focusing on just iptables to achieve this goal.

# iptables -A INPUT -p tcp –syn -m multiport --dports 80,443 -m connlimit –connlimit-above 100 -j DROP

In the above example we’re limiting the amount of simultaneous syn packets from a specific IP address to 100 (a syn packet initiates a RELATED or ESTABLISHED connection between the server and client; read more). The above rule will be effective against a SYN flood attack where the client machine never responds to the SYN-ACK that the server sends  and potentially keeps the server from releasing resources it might need while waiting for a response.

“-p tcp –syn”

tells iptables that this filter applies specifically to tcp syn packets

“-m multiport –dports 80,443″

tells iptables that this filter applies only to packets with a destination port of 80 OR 443

“-m connlimit –connlimit-above 100″

tells iptables to match if the number of existing connections is above 100.

connlimit and multiport are part of the iptables-extensions modules set.

Related Articles

  • How to clear the YUM cache?

    What is yum? The Yellowdog Updater, Modified (yum) is an open-source command-line package-management utility for Linux operating systems using the RPM Package Manager. Yum allows automatic updates, package and dependency...
  • How to Manage a Linux Server with systemd

    What Operating Systems Have Adopted systemd? CentOS: Yes, by default since CentOS 7 Fedora: Yes, since the release of Fedora 15 RedHat: Yes Debian: Yes, shipped since Debian 7 as...
  • Disk Benchmarking Tools.

    One of the main bottlenecks in server slowness is the Disk IO. If the speed of your disks are slow, then the CPUs of your servers may be wasting their CPU...
  • SSH: Whitelist IPs for Your Server

    If you wish to whitelist certain IP’s for your server for any reason, you can easily go into your Webair Ezpanel for this. When whitelisting an IP, please provide the specific...