This appendix describes a method to prevent Denial of Service (DoS) attacks on the STA server. Follow these procedures only after the initial library configuration is successful. After configuring IPTables, you should ensure that STA is still successfully monitoring your libraries.
This appendix includes the following sections:
Note:
The procedures in this appendix are optional, and are provided for informational purposes only. Site security remains the responsibility of the customer.To protect the server from DoS attacks, configure the Linux iptables software to establish rules that filter ports and/or IP addresses. Based on the configuration of STA, Oracle recommends you attach rules to UDP 162 and the port values the STA managed servers are running on.
Note:
See the STA Installation and Configuration Guide for port information, including the default port values STA uses.The iptables Sample Script can be used to define an input rule on the server to block hosts that attempt to connect, based on these criteria:
A specific Ethernet interface
A specific port
A specific protocol
The number of requests within a specified time period.
If the host connection count is exceeded within that time period, that host is blocked from further connections for the remainder of the time period.
To configure iptables rules:
Copy the source of the iptables Sample Script into a text editor.
Modify the following variables to suit your environment:
INTERFACE—Defines the ethernet interface to watch for attacks
PORT—Defines the port number to watch for attacks
PROTO—Defines the protocol (TCP or UDP)
HITS and TIME—Decide what are reasonable values for the number of requests (HITS) within a given time period in seconds (TIME) to block a server.
Save the script to your system and execute it.
The new rules are added to iptables and take effect immediately.
The following is an iptables sample script.
# The name of the iptable chain
CHAIN=INPUT
# The ethernet interface to watch for attacks
INTERFACE=eth0
# The port number to watch for attacks
PORT=80
# The protocol (tcp or udp)
PROTO=tcp
# A server that sends HITS number of requests within TIME seconds will be blocked
HITS=8
TIME=60
# Log filtered IPs to file
touch /var/log/iptables.log
grep iptables /etc/syslog.conf 1>/dev/null 2>&1
if [$? -ne 0 ]; then
echo kern.warning /var/log/iptables.log >>
/etc/syslog.conf
echo touch /var/log/iptables.log >> /etc/syslog.conf
/etc/init.d/syslog restart
fi
# Undo any previous chaining for this combination of chain, proto, hits, and time
/sbin/iptables -L $CHAIN |grep $PROTO |grep $HITS |grep $TIME 1>/dev/null 2>&1
if [$? -eq 0 ]; then
R=0
while [$R -eq 0 ]; do
/sbin/iptables -D $CHAIN 1 1>/dev/null 2>&1
R=$?
done
fi
# Logging rule
/sbin/iptables --append $CHAIN --jump LOG --log-level 4
# Interface rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --set
# Blocking rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --update --seconds $TIME --hitcount $HITS --jump DROP