Results 1 to 6 of 6

Thread: Config iptables to stop flood of unwanted traffic

  1. #1
    Junior Member
    Join Date
    Feb 2013
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default Config iptables to stop flood of unwanted traffic

    Hi,

    I am using Debian 7 VPS, I am getting on an average 5-6 Lakh connections every day from different IPs, which are just spam, unwanted traffic, making my server access slow.

    Please check below access log output for a few seconds.
    Code:
    tail /usr/local/nginx/logs/access.log
    61.228.94.84 - - [17/Sep/2013:17:12:30 +0530] "CONNECT 27.123.206.55:25 HTTP/1.0" 400 172 "-" "-"
    61.231.6.32 - - [17/Sep/2013:17:12:31 +0530] "CONNECT 203.188.197.111:25 HTTP/1.0" 400 172 "-" "-"
    61.228.94.84 - - [17/Sep/2013:17:12:31 +0530] "CONNECT 27.123.206.55:25 HTTP/1.0" 400 172 "-" "-"
    61.228.94.84 - - [17/Sep/2013:17:12:32 +0530] "CONNECT 27.123.206.55:25 HTTP/1.0" 400 172 "-" "-"
    61.228.94.84 - - [17/Sep/2013:17:12:32 +0530] "CONNECT 203.188.197.119:25 HTTP/1.0" 400 172 "-" "-"
    61.228.94.84 - - [17/Sep/2013:17:12:33 +0530] "CONNECT 203.188.197.111:25 HTTP/1.0" 400 172 "-" "-"
    61.231.6.32 - - [17/Sep/2013:17:12:33 +0530] "CONNECT 203.188.197.119:25 HTTP/1.0" 400 172 "-" "-"
    61.228.94.84 - - [17/Sep/2013:17:12:33 +0530] "CONNECT 27.123.206.55:25 HTTP/1.0" 400 172 "-" "-"
    61.228.94.84 - - [17/Sep/2013:17:12:34 +0530] "CONNECT 65.55.37.120:25 HTTP/1.0" 400 172 "-" "-"
    61.228.94.84 - - [17/Sep/2013:17:12:36 +0530] "CONNECT 27.123.206.55:25 HTTP/1.0" 400 172 "-" "-"
    If I block any one IP from iptables, attacker automatically sends connection from different IP.
    I have changed VPS provider, configured my domain's A and NS records to new VPS provider and removed all entries of old VPS provider. With new VPS provider, I did stopped getting this unwanted traffic, but I have watched old VPS which continued get the same traffic. So, I determined, attacker is attacking on IP address, not domain. Then I have shutdown old VPS and observed with current new VPS, on new VPS also, I got same flood of traffic. I have selected new VPS provider who is offering Cisco Guard module for network level DDoS protection, but it is not working in my case.
    Please find below iptable entries, please suggest me solution whether can I stop this with iptables?
    Code:
    *filter
    -A INPUT -p tcp --destination-port 25 -j DROP
    -A OUTPUT -p tcp --destination-port 25 -j DROP
    -A OUTPUT -p tcp -d 0.0.0.0 --dport 25 -j DROP
    -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
    
    # Accepts all established inbound connections
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allows all outbound traffic
    # You could modify this to only allow certain traffic
    -A OUTPUT -p tcp --destination-port 80 -j ACCEPT
    -A OUTPUT -p tcp --destination-port 443 -j ACCEPT
    # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
    -A INPUT -p tcp --dport 80 -j ACCEPT
    -A INPUT -p tcp --dport 443 -j ACCEPT
    -A INPUT -p udp --dport 53 -j ACCEPT
    -A INPUT -p tcp --dport 53 -j ACCEPT
    -A INPUT -p tcp --dport 3306 -j ACCEPT
    -A INPUT -p tcp --dport 22 -j ACCEPT
    
    # Allow ping
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    
    # log iptables denied calls (access via 'dmesg' command)
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
    
    # Reject all other inbound - default deny unless explicitly allowed policy:
    -A INPUT -j REJECT
    -A FORWARD -j REJECT
    
    COMMIT
    Thank you.

  2. #2
    Member
    Join Date
    Feb 2008
    Posts
    62
    Thanks
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    7

    Default

    Quote Originally Posted by ckinikar View Post
    (..) making my server access slow.
    These are CONNECT method probes trying other mail servers using your web server as a proxy. They get only served a "400" reply plus there's only 3 connections per minute meaning it doesn't compute saying it slows your server down.


    Quote Originally Posted by ckinikar View Post
    Please find below iptable entries, please suggest me solution whether can I stop this with iptables?
    As long as your web server configuration doesn't enable proxying you're fine. You could limit new requests to port TCP/80 but as you're seeing only 3 connections max per minute that wouldn't help much. You could use fail2ban to search /usr/local/nginx/logs/access.log for lines to block in combination with ipset ('man ipset') and a rule in the raw table PREROUTING chain.

  3. #3
    Junior Member
    Join Date
    Feb 2013
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Hi,

    Please have a look at Logwatch daily report attached here for 15th Sep. 786231 connections in a day.
    Last 2 days I have received around 3 Lakh connections, because during that period I have migrated VPS to new host. Again today may be more than 5 Lakh connection count will go. I want to tell you, when I made my new VPS up and running, I have seen great difference in accessing and browsing website, it was incredibly fast, because that time this connections were hitting old VPS. As, I shutdown old VPS, after sometime I did experienced same traffic on new VPS causing degrading in site browsing performance.

    Again closely look at my access log output, first entry is

    17/Sep/2013:17:12:30 and last i.e. 10th entry is just after 6 seconds 17/Sep/2013:17:12:36

    Will you please give some hints for fail2ban as well iptables PREROUTING, I have already tried some rules with fail2ban, I couldn't work it out, because may be couldn't configure it exactly as my requirment is

    Thanks.
    Attached Images Attached Images

  4. #4
    Junior Member
    Join Date
    Feb 2013
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Hi,

    I have installed fail2ban.

    In jail.conf, I have added below rule:
    Code:
    [nginx-proxy]
    enabled = true
    action = iptables-multiport[name=NoProxy, port="http,https"]
    filter = nginx-proxy
    logpath = /usr/local/nginx/logs/access.log
    maxretry = 0
    bantime  = 86400 # 1 day
    When I restart
    Code:
    sudo /etc/init.d/fail2ban restart
    [FAIL] Restarting authentication failure monitor: fail2ban failed!
    Then I have removed above code from jail.conf, created a new file jail.local ad added below code in it:
    Code:
    [DEFAULT]
    
    action = %(action_mwl)s
    
    [nginx-proxy]
    enabled = true
    action = iptables-multiport[name=NoProxy, port="http,https"]
    filter = nginx-proxy
    logpath = /usr/local/nginx/logs/access.log
    maxretry = 0
    bantime  = 86400 # 1 day
    Again got same error on restart, please help me.
    Also,
    Code:
    action iptables-multiport[name=NoProxy, port="http,https"]
    how it will work?

    On my system if I enter command for e.g.:
    Code:
    iptables -A OUTPUT -p tcp -d 1.0.0.0/8 --dport 25 -j DROP
    it will work, once I reboot it will disappear. I always need to add iptables rules in /etc/iptables.test.rules file then
    Code:
    iptables-restore < /etc/iptables.test.rules
    iptables-save > /etc/iptables.up.rules
    Will fail2ban restore and save iptable rules?

    Please support.

    Thank you.

  5. #5
    Member
    Join Date
    Feb 2008
    Posts
    62
    Thanks
    0
    Thanked 5 Times in 4 Posts
    Rep Power
    7

    Default

    Quote Originally Posted by ckinikar View Post
    When I restart
    Code:
    sudo /etc/init.d/fail2ban restart
    [FAIL] Restarting authentication failure monitor: fail2ban failed!
    Then check whatever fail2ban logs to (/var/log/fail2ban.log, /var/log/messages) for clues.


    Quote Originally Posted by ckinikar View Post
    Also,
    Code:
    action iptables-multiport[name=NoProxy, port="http,https"]
    how it will work?
    It works by loading rules from the "(nginx-)proxy.conf" file in the /etc/fail2ban/filter.d/ directory. Since you need to block CONNECT rules you have to modify the filter. Should look something like
    Code:
    [Definition]
    failregex = ^<HOST> -.*CONNECT http.*:25
    ignoreregex =
    which you can test with:
    Code:
    fail2ban-regex /usr/local/nginx/logs/access.log "^<HOST> -.*CONNECT http.*:25"
    Post output if unsure.


    Quote Originally Posted by ckinikar View Post
    On my system if I enter command for e.g.:
    Code:
    iptables -A OUTPUT -p tcp -d 1.0.0.0/8 --dport 25 -j DROP
    it will work, once I reboot it will disappear. I always need to add iptables rules in /etc/iptables.test.rules file then
    Code:
    iptables-restore < /etc/iptables.test.rules
    iptables-save > /etc/iptables.up.rules
    Will fail2ban restore and save iptable rules?
    First of all you need a rule in the filter table INPUT chain (which fail2ban will add itself) and secondly you've created an anomaly using a non-standard rule set "/etc/iptables.test.rules". Find the location of the default rule set that gets loaded by your iptables or firewall service and modify that to have it reload existing rules on reboot or add a line "iptables-restore < /etc/iptables.test.rules" in your startup script (or cron "@reboot").

  6. #6
    Junior Member
    Join Date
    Jul 2014
    Location
    USA
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    CONNECT method probes trying other mail web servers using your web server as a proxies. They get only provided a "400" response plus there's only 3 relationships per moment significance it doesn't estimate saying it decreases your server down.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Linux: Howto test and stop syn flood attacks
    By nany in forum Networking, Firewalls and Security
    Replies: 2
    Last Post: 10th June 2011, 12:26 PM
  2. Linux: Howto test and stop syn flood attacks
    By nany in forum Linux software
    Replies: 0
    Last Post: 9th June 2011, 11:40 AM
  3. A script top stop small scale syn flood ?
    By karabaja in forum Shell scripting
    Replies: 2
    Last Post: 11th June 2009, 02:14 AM
  4. Replies: 1
    Last Post: 21st December 2006, 03:30 AM
  5. iptables config 6881
    By in forum Linux software
    Replies: 1
    Last Post: 28th January 2006, 11:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •