Sep 15, 2008

Prevent DoS attack in Linux using IPTABLES

A major problem facing by mail server admin is DOS (Deniel Of Service) attack. Hackers will try to mess up with the most popular ports of a UNIX/LINUX machines. We can prevent this my writing an IPTABLE rule in the server. The working is ,if some one is trying make connection continuously through a specified port the rule will block the IPADDRESS permanently. Here I am stating the securing of PORT 25 (SMTP) here you can use your own

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP


This will Block all the IP ADDRESS which will make connection to port 25 continuously within ie 4 SMTP connection within 60 seconds. You can change PORT,INTERVALs here.

We can also log these ips as well and use for future purpose for example,if you would like to add these logged IP to TCPWRAPPER etc.
Do the following.

Firts of all Set your Log Daemon to log the IPTABLES

# vi /etc/syslog.conf

Add the following line at the end of the file

#kern.warning /var/log/iptables.log
#touch /var/log/iptables.log

Restart the System Log Service

#/etc/init.d/syslog restart (On Redhat based,Centos)

iptables -A INPUT -j LOG --log-level 4

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP --log-prefix '** HACKERS **'--log-level 4

PERFECT. THE HACKERS ARE BEING LOGGED NOW !!!.

The next stage is to add these logged ips to TCPWRAPPER (/etc/hosts.deny).

#/bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt

The above line will grep the SOURCE ip from the log and append to badip.txt

Next Run this command as a frequent interval with the help of CRON

#vi /etc/crontab

*/1 * * * * root /bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt

Here the script will run in every minutes. The file will be grow up rapidly to heavy size if your server have heavy traffic. So CleanUP the file in a frequent intervals. Better setup another CRON for it.

Next to add these IPs in the hosts.deny file

#vi /etc/hosts.deny
SSHD:/root/badip.txt

So things are clear. The first CRON job will update the file badip.txt list, as well as it will blocked by TCPWRAPPER.

14 comments:

Amit said...

This war really good.
But 4 connections in 60 seconds - is it a realistic scenario or is 3 per 60 seconds make it more safer?
I also have another requirement:
I want IP's and MAC addresses of hosts who fail the above criteria to get automatically added in the hosts.deny list.
How could I do this?
Thanks

Anonymous said...

Hm... So if I'm a bad guy and I send you a few TCP SYN packets with a spoofed source address, can't I pretty much cause your firewall to permanently drop packets from a legitimate mail server?

Amit said...

yes. you are right. This is a problem :)
would adding legitimate server IPs to hosts.allow resolve the problem? I guess not coz they would still be in the hosts.deny list.

Anonymous said...

Hi. Newbee as you guess.

I got:

iptables v1.3.6: Unknown arg `--log-prefix'
Try `iptables -h' or 'iptables --help' for more information.

I've just upgraded debian packages. some little help?

സമാധാനം said...

Ugur
No problem with that error. I think its already start to logging the packet.
check /var/log/messages

Anonymous said...

I don't think so :(. I can't see the entry when iptables --list.

nothing for:

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 120 --hitcount 90 -j DROP --log-prefix '** HACKERS **' --log-level 4

T.U.V said...

Adding the legitimate server IPs to /etc/hosts.allow should resolve the problem mentioned by Richard, because /etc/hosts.allow is processed first, and if no matches are found from there, then /etc/hosts.deny is processed and the first match denies access. If no match is found neither from the /etc/hosts.deny, then access is allowed by default.

Please, correct me, if I am wrong.

tukang nggame said...
This comment has been removed by the author.
tukang nggame said...

thank's. That's help me. Btw how to block Download Accelerator Plus (DAP) with iptables or the other with Linux ? I use GNU/Linux Debian Lenny
Thx b4

Anonymous said...
This comment has been removed by the author.
Anonymous said...

Awesome man! I was looking for this since three days.
It works like a charm.
But one doubt, what if I specify --seconds 3600? The IP making > 4 connections will be banned for 1 hour right?

Anonymous said...

Okay I found it out from the man page. When I read the man page before reading this article, it seemed quite confusing to me. Now its clear, --seconds checks if the IP was seen within the given number if seconds.

manjeet said...

I have this rule on my firewall
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
–reject-with tcp-reset
few day ago it was working fine but idk what i am doing wrong but now the time frame of this rule now reset with last request even if it was rejected , just because of it no request com into the system only first 3 request comes in and if I wait for one min then again i am able to send new request in 60 seconds

manjeet said...

I have this rule on my firewall
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –syn –dport 9080 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 -j REJECT
–reject-with tcp-reset
few day ago it was working fine but idk what i am doing wrong but now the time frame of this rule now reset with last request even if it was rejected , just because of it no request com into the system only first 3 request comes in and if I wait for one min then again i am able to send new request in 60 seconds