[SLL] apache DOS vulnerability and iptables
Brian Lane
bcl at brianlane.com
Sat Jun 20 23:17:51 PDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 6/19/09 8:59 AM, Rohit Kumar Mehta wrote:
> I'm sure there are many among us who want their apache servers to stay
> available, so this is alarming news:
> http://it.slashdot.org/story/09/06/19/1243203/Attack-On-a-Significant-Flaw-In-Apache-Released?from=rss
> http://isc.sans.org/diary.html?storyid=6601
>
> I tested this against a non-production server and it was completely
> easy to do. The server was not responding to web requests in less than a
> few minutes.
>
> I would think one should be able to protect against this by limiting the
> maximum number of connections from a single ip. My iptables-fu is not
> as powerful as it should be. Does anyone else know how to do this?
I've used this to block port 22 scan attempts before:
# Drop connections if > 20 received in 60 seconds
- -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW \
- -m recent --set --name SSH
- -A RH-Firewall-1-INPUT -p tcp --dport 22 -m state --state NEW \
- -m recent --update --seconds 60 --hitcount 20 --rttl --name SSH -j DROP
According to my notes it came from here:
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/
Brian
- --
- ---[Office 73.8F]--[Outside 54.5F]--[Server 106.8F]--[Coaster 60.5F]---
Software, Linux, Microcontrollers http://www.brianlane.com
AIS Parser SDK http://www.aisparser.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Remember Lexington Green!
iD8DBQFKPdCPIftj/pcSws0RAnE+AJ9Nr8jNp1NnEV8sxEaiGhiRqiLO7ACfSbp1
03chBNTtjxl91cYoTt6m/GY=
=B3Ny
-----END PGP SIGNATURE-----
More information about the linux-list
mailing list