|
09.08.2009, 20:16 Вверх | #1 | |||
Коренной житель
|
правило iptables
Сегодня столкнулся с атаками на 80 порт моего сервере Сразу начал искать в интеренете как можно себя обезопасить, сначала искал модули для апача, нашел какие то но они для первой версии, потом увидел что можно обезопасить себя с помощю айпитейблс, начил читать, нашел про правила
1) Ограничение подключений к веб серверу – если более 3-х соединений в секунду в 2-х минутном интервале. # iptables -A ext_tcp -p TCP --dport 80 -m state --state NEW -m recent --name fhttp --set # iptables -A ext_tcp -p TCP --dport 80 -m state --state NEW -m recent --name fhttp --update --seconds 120 --hitcount 360 -j DROP 2)Разрешаем производить только 4 коннекта к 22 порту в течении 60 секунд: # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP 3)Лимит на 20 запросов в секунду для интерфейса eth0 # iptables --new-chain bad # iptables --insert INPUT 1 -p tcp --destination-port 80 -o eth0 --jump bad # iptables --append bad -m limit --limit 20/sec --jump RETURN # iptables --append bad --jump DROP 4)Максимум 10 одновременных соединений с одного IP # iptables -A INPUT-p tcp --dport 80 -m iplimit --iplimit-above 10 -j REJECT 5) Блокировка более 10 SYN # iptables -I INPUT -p tcp --syn --dport 80 -j DROP -m iplimit --iplimit-above 10 -j REJECT 6) Ограничение 20 соединений на сеть класса С iptables -p tcp --dport 80 -m iplimit --iplimit-above 20 --iplimit-mask 24 -j REJECT Добавлено через 4 минуты 12 секунд зы это же ддос атака? Нажми для просмотра
80.237.85.26 - - [09/Aug/2009:16:03:03 +0100] "POST /forum/search.php HTTP/1.1" 503 3037
80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:04 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:53 +0100] "POST /forum/search.php HTTP/1.1" 200 13010 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:54 +0100] "POST /forum/search.php HTTP/1.1" 200 13009 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:06 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:05 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:53 +0100] "POST /forum/search.php HTTP/1.1" 200 13008 80.237.85.26 - - [09/Aug/2009:16:02:54 +0100] "POST /forum/search.php HTTP/1.1" 200 13013 80.237.85.26 - - [09/Aug/2009:16:02:54 +0100] "POST /forum/search.php HTTP/1.1" 200 13013 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:08 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:55 +0100] "POST /forum/search.php HTTP/1.1" 200 13012 80.237.85.26 - - [09/Aug/2009:16:03:12 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:12 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:12 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:56 +0100] "POST /forum/search.php HTTP/1.1" 200 13010 80.237.85.26 - - [09/Aug/2009:16:03:12 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:12 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:12 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:09 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:07 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:11 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:54 +0100] "POST /forum/search.php HTTP/1.1" 200 13011 80.237.85.26 - - [09/Aug/2009:16:02:55 +0100] "POST /forum/search.php HTTP/1.1" 200 13010 80.237.85.26 - - [09/Aug/2009:16:02:55 +0100] "POST /forum/search.php HTTP/1.1" 200 13010 80.237.85.26 - - [09/Aug/2009:16:02:54 +0100] "POST /forum/search.php HTTP/1.1" 200 13007 80.237.85.26 - - [09/Aug/2009:16:02:54 +0100] "POST /forum/search.php HTTP/1.1" 200 13016 80.237.85.26 - - [09/Aug/2009:16:03:16 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:16 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:16 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:16 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:55 +0100] "POST /forum/search.php HTTP/1.1" 200 13008 80.237.85.26 - - [09/Aug/2009:16:03:16 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:16 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:18 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:17 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:18 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:02:54 +0100] "POST /forum/search.php HTTP/1.1" 200 13009 80.237.85.26 - - [09/Aug/2009:16:03:19 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:13 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:10 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:14 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 80.237.85.26 - - [09/Aug/2009:16:03:15 +0100] "POST /forum/search.php HTTP/1.1" 503 3037 ubuntu 7.10 iptables 1.3.6 |
|||
Последний раз редактировалось igrok; 09.08.2009 в 20:25.. |
||||
09.08.2009, 20:52 Вверх | #2 | |||
Коварный тип
|
igrok, на счет правил я тебе сейчас ничего не скажу, у меня гдето дома на ноуте в блокнотике написано как банить это фишкой, но могу сказать что твой форум дергают через поиск. Есть 2 выхода из данной ситуации:
1. Закрыть поиск для не зарегестрированных пользователей 2. Забанить через .htaccess IP 80.237.85.26. Если он всего один, то это будет самое простое и безболезненное решение проблемы. |
|||
10.08.2009, 11:24 Вверх | #3 | |||
Коренной житель
|
заблокировал ип адрес, такой же флуд начился с другова ип адреса, по тому же пути, пробывал переустановить шаблон на форуме, тоже самое! есть идеи?
зы я просто изменил название файла к которому они конектились, форум сейчас без поиска :) |
|||
Последний раз редактировалось igrok; 10.08.2009 в 11:36.. |
||||