If your server gets under attack what can be done and how we will be able to prevent server going down with hammering from the attackers
Few simeple steps with pf can do magic instead of some high fi pocket crashing firewalls
Say the server we want to protect is our web server
Add the following to the /etc/pf.conf
# Ok all the attackers goes to presistant mode with a file in /etc/pf.blocklist so
table
# block all incoming connections from attackers on FTPD
block in quick on $ext_if from
# Allow we server access with protection from hammering
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 keep state (max-src-conn-rate 5/40, overload
So what the previous lines gona do
i.e if any ip produces more than 5 connections in 40 seconds time, that ip gona end up in pf table of hammers and who are in pf table of hammers are blocked with block in command bfore that
But this work as long as system doesnt restart or pf looses the table so lets make it permanent by adding it to rc.shutdown
# echo '/sbin/pfctl -t ftp-attacks -T show > /etc/pf.blocklist' >> /etc/rc.shutdown
Woah! Next time even if the system reboots we have the list of those guys who tried to hammer our web server.
See how easy and cool it is
Yes ofcoz I came across from the net and used it for my purpose
No comments:
Post a Comment