RHEL7: How to mitigate HTTP attacks.

Share this link

If it is not possible to stop a HTTP attack against one of your servers, you can mitigate it.

Here, we will stop an attacker from hitting more than 30 times your server within 60 seconds (it’s up to you to decide the values of these two parameters). After these first 60 seconds, the attacker will have to wait 60 new seconds before he can hit your server again. And, if he doesn’t wait, he will not be able to hit your server again at all.

This tutorial uses the –direct option of the firewall-cmd command and doesn’t require any reboot.

Create the /etc/modprobe.d/xt.conf file and paste the following line:

options xt_recent ip_pkt_list_tot=30

Note: By default, only 20 hitcounts are allowed. As we need 30 hitcounts in the example, we need to specify this new configuration.

Load the xt_recent module:

# modprobe xt_recent

Note: If you need to change the xt_recent configuration later, unload the module (modprobe -r xt_recent) and load it again.

Add the following two rules to the firewall configuration:

# /bin/firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct \
  0 -p tcp --dport 80 -m state --state NEW -m recent --set
success
# /bin/firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct \
  1 -p tcp --dport 80 -m state --state NEW -m recent --update \
  --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset
success
# firewall-cmd --reload
success

Note1: The INPUT_direct chain receives all packets before any other chain.
Note2: 0 and 1 are the priority or order of the rules in the INPUT_direct chain.

Check that your rules are correctly registered:

# firewall-cmd --permanent --direct --get-all-rules
ipv4 filter INPUT_direct 0 -p tcp --dport 80 -m state --state NEW -m recent --set
ipv4 filter INPUT_direct 1 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset

Test your configuration from another server with the following shell script (here called batch.sh):

#!/bin/bash

while true
do
/usr/bin/wget "http://myserver.example.com/"
done

Note: Only do that on your own servers 😉

Source: firewall-cmd man page.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz

RHCSA7: Task of the day

Allowed time: 5 minutes.
Create a new user account called "bob" with password "redhat" and set expiration in one week.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a NFS server that exports the /opt directory in read-only mode.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...