Search This Blog

Wednesday, June 16, 2010

recent vs ipset

Hi,
I want to use a dedicated firewall to protect the web server. firewall operates in bridge mode. Which method is better used to block attacks on a web server?

1.using the module "recent".
Count the number of connection requests to the server, and if, for example, the number of requests exceeds N (50) for the time T (3600) seconds, then the block address of the source.
Example IPtables rules:
iptables -A http_check -m recent --update --seconds 3600 --hitcount 50 -j DROP
iptables -A http_check -m recent --set -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -p tcp --dport 80 -j http_check
iptables -P FORWARD DROP

2. using the module "recent" and ipset:
a) I use "recent" module to collect all the addresses that are trying to connect to the web server:
iptables -A hitiplist -m recent --set -j RETURN
iptables -P hitiplist ACCEPT
iptables -A FORWARD -d web_server_ip -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d web_server_ip -p tcp --dport 80 -m conntrack --ctstate NEW -j hitiplist
iptables -A FORWARD -d web_server_ip -m set --set blacklist src -j DROP
iptables -P FORWARD ACCEPT

b) perl script processes the file /proc/net/ipt_recent/DEFAULT, looking for the source address from which the value "oldest_pkt" > 50, then puts this address in the file "blacklist". Then insert address by script from blacklist  in hash table "ipset" module.


Question:
1. which method is more correct and better in terms of performance?
2. Maybe there are other methods?

No comments: