Hello,
up to CentOS 5.3 it was possible, to control new ip connections by "recent", "seconds" and "hitcount"
-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 1000 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
so that - short time high new connections rate for the web server where accepted, but not over a longer time.
E.g. CentOS 5.8 or CentOS 6.2 accept only
-A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 15 -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
So a complex web page with many small icons e.g. webmail pages initiate the log in line 2 and drop in line 3 .
hitcount does not accept values of 25 or above:
[root@server ~]# iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 [root@server~]# iptables -A INPUT -m state --state NEW -m recent --update --seconds 1 --hitcount 25 -p tcp --dport 80 -j LOG --log-prefix "FW DROP IP Flood: " iptables: Unknown error 4294967295
what can i do to protect the web server? Is there any any configuration parameter to increase the values for hitcount?
Best regards Helmut Drodofsky