| StorageTek Tape Analytics Administration Guide Release 2.0 E39010-01 |
|
 Previous |
 Next |
This chapter describes a method to prevent Denial of Service (DoS) attacks on the STA server. Follow this procedure only after the initial library configuration is successful. After configuring IPTables, you should ensure that STA is still successfully monitoring your libraries.
|
Note: The following procedure is optional, and is provided for informational purposes only. Site security remains the responsibility of the customer. |
To protect the server from DoS attacks, configure the Linux iptables software to establish rules that filter ports and/or IP addresses. Based on the configuration of STA, Oracle recommends you attach rules to UDP 162 and the port values the STA managed servers are running on.
|
Note: See the "Port Configuration" section of the STA Installation and Configuration Guide for port information, including the default port values STA uses. |
The iptables Sample Script can be used to define an input rule on the server to block hosts that attempt to connect, based on these criteria:
A specific Ethernet interface
A specific port
A specific protocol
The number of requests within a specified time period.
If the host connection count is exceeded within that time period, that host is blocked from further connections for the remainder of the time period.
To configure iptables rules:
Copy the source of the iptables Sample Script into a text editor.
Modify the following variables to suit your environment:
INTERFACE
Defines the ethernet interface to watch for attacks
PORT
Defines the port number to watch for attacks
PROTO
Defines the protocol (tcp or udp)
HITS and TIME
Decide what are reasonable values for the number of requests (HITS) within a given time period in seconds (TIME) to block a server.
Save the script to your system and execute it.
The new rules are added to iptables and take effect immediately.
The following is an iptables sample script.
# The name of the iptable chain CHAIN=INPUT # The ethernet interface to watch for attacks INTERFACE=eth0 # The port number to watch for attacks PORT=80 # The protocol (tcp or udp) PROTO=tcp # A server that sends HITS number of requests within TIME seconds will be blocked HITS=8 TIME=60 # Log filtered IPs to file touch /var/log/iptables.log grep iptables /etc/syslog.conf 1>/dev/null 2>&1 if [$? -ne 0 ]; then echo kern.warning /var/log/iptables.log >> /etc/syslog.conf echo touch /var/log/iptables.log >> /etc/syslog.conf /etc/init.d/syslog restart fi # Undo any previous chaining for this combination of chain, proto, hits, and time /sbin/iptables -L $CHAIN |grep $PROTO |grep $HITS |grep $TIME 1>/dev/null 2>&1 if [$? -eq 0 ]; then R=0 while [$R -eq 0 ]; do /sbin/iptables -D $CHAIN 1 1>/dev/null 2>&1 R=$? done fi # Logging rule /sbin/iptables --append $CHAIN --jump LOG --log-level 4 # Interface rule /sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --set # Blocking rule /sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --update --seconds $TIME --hitcount $HITS --jump DROP
|
 Copyright © 2012, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|