RHEL7: How to mitigate HTTP attacks.

Last updated on (21,298 views) - CertDepot No Comments ↓
Share this link
Google+0
LinkedIn0

If it is not possible to stop a HTTP attack against one of your servers, you can mitigate it.

Here, we will stop an attacker from hitting more than 30 times your server within 60 seconds (it’s up to you to decide the values of these two parameters). After these first 60 seconds, the attacker will have to wait 60 new seconds before he can hit your server again. And, if he doesn’t wait, he will not be able to hit your server again at all.

This tutorial uses the –direct option of the firewall-cmd command and doesn’t require any reboot.

Create the /etc/modprobe.d/xt.conf file and paste the following line:

options xt_recent ip_pkt_list_tot=30

Note: By default, only 20 hitcounts are allowed. As we need 30 hitcounts in the example, we need to specify this new configuration.

Load the xt_recent module:

# modprobe xt_recent

Note: If you need to change the xt_recent configuration later, unload the module (modprobe -r xt_recent) and load it again.

Add the following two rules to the firewall configuration:

# /bin/firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct \
  0 -p tcp --dport 80 -m state --state NEW -m recent --set
success
# /bin/firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct \
  1 -p tcp --dport 80 -m state --state NEW -m recent --update \
  --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset
success
# firewall-cmd --reload
success

Note1: The INPUT_direct chain receives all packets before any other chain.
Note2: 0 and 1 are the priority or order of the rules in the INPUT_direct chain.

Check that your rules are correctly registered:

# firewall-cmd --permanent --direct --get-all-rules
ipv4 filter INPUT_direct 0 -p tcp --dport 80 -m state --state NEW -m recent --set
ipv4 filter INPUT_direct 1 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset

Test your configuration from another server with the following shell script (here called batch.sh):

#!/bin/bash

while true
do
/usr/bin/wget "http://myserver.example.com/"
done

Note: Only do that on your own servers 😉

Source: firewall-cmd man page.

(1 votes, average: 5.00 out of 5)
Loading...

Leave a Reply

Upcoming Events (Local Time)

There are no events.

Follow me on Twitter

Archives

xhampster
vceplus-200-125    | boson-200-125    | training-cissp    | actualtests-cissp    | techexams-cissp    | gratisexams-300-075    | pearsonitcertification-210-260    | examsboost-210-260    | examsforall-210-260    | dumps4free-210-260    | reddit-210-260    | cisexams-352-001    | itexamfox-352-001    | passguaranteed-352-001    | passeasily-352-001    | freeccnastudyguide-200-120    | gocertify-200-120    | passcerty-200-120    | certifyguide-70-980    | dumpscollection-70-980    | examcollection-70-534    | cbtnuggets-210-065    | examfiles-400-051    | passitdump-400-051    | pearsonitcertification-70-462    | anderseide-70-347    | thomas-70-533    | research-1V0-605    | topix-102-400    | certdepot-EX200    | pearsonit-640-916    | itproguru-70-533    | reddit-100-105    | channel9-70-346    | anderseide-70-346    | theiia-IIA-CIA-PART3    | certificationHP-hp0-s41    | pearsonitcertification-640-916    | anderMicrosoft-70-534    | cathMicrosoft-70-462    | examcollection-cca-500    | techexams-gcih    | mslearn-70-346    | measureup-70-486    | pass4sure-hp0-s41    | iiba-640-916    | itsecurity-sscp    | cbtnuggets-300-320    | blogged-70-486    | pass4sure-IIA-CIA-PART1    | cbtnuggets-100-101    | developerhandbook-70-486    | lpicisco-101    | mylearn-1V0-605    | tomsitpro-cism    | gnosis-101    | channel9Mic-70-534    | ipass-IIA-CIA-PART1    | forcerts-70-417    | tests-sy0-401    | ipasstheciaexam-IIA-CIA-PART3    | mostcisco-300-135    | buildazure-70-533    | cloudera-cca-500    | pdf4cert-2v0-621    | f5cisco-101    | gocertify-1z0-062    | quora-640-916    | micrcosoft-70-480    | brain2pass-70-417    | examcompass-sy0-401    | global-EX200    | iassc-ICGB    | vceplus-300-115    | quizlet-810-403    | cbtnuggets-70-697    | educationOracle-1Z0-434    | channel9-70-534    | officialcerts-400-051    | examsboost-IIA-CIA-PART1    | networktut-300-135    | teststarter-300-206    | pluralsight-70-486    | coding-70-486    | freeccna-100-101    | digitaltut-300-101    | iiba-CBAP    | virtuallymikebrown-640-916    | isaca-cism    | whizlabs-pmp    | techexams-70-980    | ciscopress-300-115    | techtarget-cism    | pearsonitcertification-300-070    | testking-2v0-621    | isacaNew-cism    | simplilearn-pmi-rmp    | simplilearn-pmp    | educationOracle-1z0-809    | education-1z0-809    | teachertube-1Z0-434    | villanovau-CBAP    | quora-300-206    | certifyguide-300-208    | cbtnuggets-100-105    | flydumps-70-417    | gratisexams-1V0-605    | ituonline-1z0-062    | techexams-cas-002    | simplilearn-70-534    | pluralsight-70-697    | theiia-IIA-CIA-PART1    | itexamtips-400-051    | pearsonitcertification-EX200    | pluralsight-70-480    | learn-hp0-s42    | giac-gpen    | mindhub-102-400    | coursesmsu-CBAP    | examsforall-2v0-621    | developerhandbook-70-487    | root-EX200    | coderanch-1z0-809    | getfreedumps-1z0-062    | comptia-cas-002    | quora-1z0-809    | boson-300-135    | killtest-2v0-621    | learncia-IIA-CIA-PART3    | computer-gcih    | universitycloudera-cca-500    | itexamrun-70-410    | certificationHPv2-hp0-s41    | certskills-100-105    | skipitnow-70-417    | gocertify-sy0-401    | prep4sure-70-417    | simplilearn-cisa    |
http://www.pmsas.pr.gov.br/wp-content/    | http://www.pmsas.pr.gov.br/wp-content/    |