From mboxrd@z Thu Jan 1 00:00:00 1970 From: "J. Bakshi" Subject: Re: How to protect apache benchmarking attack ? Date: Tue, 12 Jan 2010 15:33:03 +0530 Message-ID: <4B4C48D7.9040706@infoservices.in> References: <4B4C3F37.9010703@infoservices.in> <20100112102848.4b427416@catlap> <4B4C4389.6010604@infoservices.in> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <4B4C4389.6010604@infoservices.in> Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="utf-8" To: Marek Kierdelewicz Cc: netfilter@vger.kernel.org J. Bakshi wrote: > Marek Kierdelewicz wrote: > =20 >>> Hello all, >>> =20 >>> =20 >> Hello J., >> >> =20 >> =20 >>> I am dared to see what "ab" (apache benchmarking too) can do again= st >>> an apache server. I have used the following against my server to c= heck >>> call handling >>> =20 >>> =20 >> You can use hashlimit [1] match of iptables to limit concurrent >> connections from single IP. >> >> [1] http://linux.die.net/man/8/iptables -> lookup hashlimit; note: >> current versions of hashlimit can also use srcip as --hashlimit-mode= ; >> that's probably what you want >> >> Cheers, >> Marek Kierdelewicz >> >> =20 >> =20 > > Hello Marek, > > thanks for your prompt reply. I'll look into the hashlimit as you > suggest. Though a question in mind. Can It somehow affect the web > access from general users. ? I need the protection but also don't l= ike > my protection makes the web service block general users somehow :-) > > Any real-life configuration is always Welcome. > > Thanks > > =20 What about modifying iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT to |iptables -A INPUT -m hashlimit -m tcp -p tcp --dport 80 \| |--hashlimit 200/sec --hashlimit-mode srcip --hashlimit-name http \ | |-m state --state NEW -j ACCEPT| ? --=20 =E0=A6=9C=E0=A7=9F=E0=A6=A6=E0=A7=80=E0=A6=AA =E0=A6=AC=E0=A6=95=E0=A7=8D= =E0=A6=B8=E0=A7=80