How Temporarily block an IP address making too many hits on the Server with iptables?

Question

this is my first question here.

I made this follow script to protect my server against Slowloris and some DDOS.

#!/bin/sh
# It does not allow more than 10 connections per IP on ports 80 and 443. And log it.
# Except when the IP comes from 123.456.789.000
/sbin/iptables -A INPUT -p tcp --syn --dport 80 ! -s 123.456.789.000 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLOCK ATTACK: " --log-level 6
/sbin/iptables -A INPUT -p tcp --syn --dport 80 ! -s 123.456.789.000 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset

/sbin/iptables -A INPUT -p tcp --syn --dport 443 ! -s 123.456.789.000 -m connlimit --connlimit-above 10 -j LOG --log-prefix "BLOCK ATTACK HTTPS: " --log-level 6
/sbin/iptables -A INPUT -p tcp --syn --dport 443 ! -s 123.456.789.000 -m connlimit --connlimit-above 10 -j REJECT --reject-with tcp-reset

First question: Is that correct? will work as I would like?

Second question: How I do to adapt this iptables code to temporarily block IP if --connlimit-above 10 happens 3 times?

Note: I know fail2ban, but I want to use iptables. And I want to use connlimit, Not just count hits on the server.

I tried several ways to do this, googled too much and I fail :(

You know this makes no sense? A connlimit like this may rule out complete mobile phone networks as you see them coming from very few IP addresses thanks to NAT. Given that the conn limit for one browser is IIRC somewhere around 2-3 - that are very few people at the same time. — TomTom, Mar 30 '16 at 03:52
But 10 connections at the same time is very difficult to happen, even in NAT network. In my Apache is use keepalive, which eliminates the use of multiple connections in most modern browsers. I would be worried about it just if I host a site like facebook. — Rodrigo Gomes, Mar 30 '16 at 05:15
No, it does not. Keepalive keeps them alive - multiple connections happen to do multiple things in parallel. Like downloading pictures and css files. And given how relevant or not your site is 10 connections may or may not work. Just as note - there are whole isp's hiding behind a few proxies these days to save IP addresses. — TomTom, Mar 30 '16 at 05:23
No, it's not. Keepalive keeps the connection open to open other files such as images, css, js. No needed to open a new connection. — Rodrigo Gomes, Mar 30 '16 at 05:29
Even download sites have connection limits to avoid excessive bandwidth. — Rodrigo Gomes, Mar 30 '16 at 05:30

Rodrigo Gomes · Accepted Answer · 2016-03-30T12:21:52.730

Answering my own question, after much work and research I created this script for iptables:

#!/bin/sh
/sbin/iptables -N BLOCK_IP
/sbin/iptables -N SYN_CHECK
/sbin/iptables -N DOS_CHECK
/sbin/iptables -N SYN_ATTACK
/sbin/iptables -N DOS_ATTACK
#
# first checks if the IP is already blocked
/sbin/iptables -A INPUT -j BLOCK_IP
# drop if is blocked
/sbin/iptables -A BLOCK_IP -p tcp -m multiport --dport 80,443 -m recent --name BlockedIP --rcheck --seconds 60 -j DROP
/sbin/iptables -A BLOCK_IP -p udp -m multiport --dport 80,443 -m recent --name BlockedIP --rcheck --seconds 60 -j DROP
# if already pass the time unblock the IP
/sbin/iptables -A BLOCK_IP -p tcp -m multiport --dport 80,443 -m recent --name BlockedIP --remove -j RETURN
/sbin/iptables -A BLOCK_IP -p udp -m multiport --dport 80,443 -m recent --name BlockedIP --remove -j RETURN
#
# check: if there is more than 20 simultaneous connections with SYN status - ignores IP Varnish Cache
/sbin/iptables -A INPUT -p tcp -m multiport --dport 80,443 --syn ! -s 123.456.789.000 -m connlimit --connlimit-above 20 -j SYN_CHECK
# check: hit and then connect frequency - ignores IP Varnish Cache
/sbin/iptables -A INPUT -p tcp -m multiport --dport 80,443 ! -s 123.456.789.000 -m state --state NEW -j DOS_CHECK
/sbin/iptables -A INPUT -p udp -m multiport --dport 80,443 ! -s 123.456.789.000 -m state --state NEW -j DOS_CHECK
#
# checks if the attack is frequently
/sbin/iptables -A SYN_CHECK -m recent --update --seconds 10 --hitcount 20 --name RATE -j SYN_ATTACK
/sbin/iptables -A DOS_CHECK -m recent --update --seconds 3 --hitcount 20 --name RATE -j DOS_ATTACK
# if the attack is frequent blocks for 1 minute and generates log
/sbin/iptables -A SYN_ATTACK -j LOG --log-prefix "BLOCK SYN ATTACK: " --log-level 6
/sbin/iptables -A SYN_ATTACK -m recent --set --name BlockedIP -j DROP
/sbin/iptables -A DOS_ATTACK -j LOG --log-prefix "BLOCK DOS ATTACK: " --log-level 6
/sbin/iptables -A DOS_ATTACK -m recent --set --name BlockedIP -j DROP
#
# if the attack is not frequent, accept
/sbin/iptables -A SYN_CHECK -m recent --set --name RATE -j ACCEPT
/sbin/iptables -A DOS_CHECK -m recent --set --name RATE -j ACCEPT
#

But I'm not sure if I'm totally sure. In my opinion after seeing many examples on the internet this is one of the best protection scripts to http for iptables.

However, I would like another opinion, in my logic all makes sense. But I never programmed for iptables before.

I would like the opinion of an expert on that subject.

Thanks for your share @rodrigo-gomes! this script is really useful! i test it. i changed for my own purpose and its check and blocks all ports, here is gist [link](https://gist.github.com/mitsh/796e14764e80c27b316d3046eac6e7e3) — Mustafa Özgür, Nov 03 '18 at 19:23
You're welcome @MustafaÖzgür! I did the best I could with all my skills. But I am certainly open to suggestions. — Rodrigo Gomes, Nov 06 '18 at 00:43

How Temporarily block an IP address making too many hits on the Server with iptables?

1 Answers1