A script enabled browser is required for this page to function properly.
Skip to main content
StorageTek Tape Analytics Administration Reference Guide, Version 1.0.2
E28379-03
Table of Contents Previous Next Index


Prevent Denial of Service Attacks : Overview

Overview

To protect the server from DoS attacks, configure the Linux iptables software to establish rules that filter ports and/or IP addresses. Based on the configuration of STA, Oracle recommends you attach rules to UDP 162 and the port values the STA web servers are running on.

Note – The STA web server default port values are 7001, 7002, 7021, and 7022, but different values may have been selected during STA installation.

The iptables Sample Script can be used to define an input rule on the server to block hosts that attempt to connect, based on these criteria:
A specific Ethernet interface
A specific port
A specific protocol
The number of requests within a specified time period.

If the host connection count is exceeded within that time period, that host is blocked from further connections for the remainder of the time period.

Configure iptables Rules
1.
Copy the source of the iptables Sample Script into a text editor.
2.
Modify the following variables to suit your environment:
INTERFACE

Defines the ethernet interface to watch for attacks
PORT

Defines the port number to watch for attacks
PROTO

Defines the protocol (tcp or udp)
HITS and TIME

Decide what are reasonable values for the number of requests (HITS) within a given time period in seconds (TIME) to block a server.

3.
Save the script to your system and execute it.

The new rules are added to iptables and take effect immediately.

iptables Sample Script

# The name of the iptable chain
CHAIN=INPUT

# The ethernet interface to watch for attacks
INTERFACE=eth0

# The port number to watch for attacks
PORT=80

# The protocol (tcp or udp)
PROTO=tcp

# A server that sends HITS number of requests within TIME seconds will be blocked
HITS=8
TIME=60

# Log filtered IPs to file
touch /var/log/iptables.log
grep iptables /etc/syslog.conf  1>/dev/null 2>&1
if [ $? -ne 0 ] ; then
        echo kern.warning /var/log/iptables.log >> 
        /etc/syslog.conf
        echo touch /var/log/iptables.log >> /etc/syslog.conf
        /etc/init.d/syslog restart
fi

# Undo any previous chaining for this combination of chain, proto, hits, and time
/sbin/iptables -L $CHAIN | grep $PROTO | grep $HITS | grep $TIME  1>/dev/null 2>&1
if [ $? -eq 0 ] ; then
        R=0
        while [ $R -eq 0 ]; do
                /sbin/iptables -D $CHAIN 1 1>/dev/null 2>&1
                R=$?
        done
fi

# Logging rule
/sbin/iptables --append $CHAIN --jump LOG --log-level 4

# Interface rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --set

# Blocking rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --update --seconds $TIME --hitcount $HITS --jump DROP
Table of Contents Previous Next Index Link to documentation
Copyright © 2012 Oracle and/or its affiliates. All rights reserved. Legal Notices