This appendix provides a sample procedure for preventing Denial-of-Service (DoS) attacks on STA. It provides instructions for using the sample script in Example A-1 to define input rules for the iptables service to block hosts based on any of the following criteria:
Ethernet interface
Ethernet protocol
Port number
Maximum number of requests within a specified time period
Note:
This procedure is optional and is provided as information only. Site security is the customer's responsibility.Note:
Before using this procedure, configure and verify the library connections on STA. See the STA User's Guide for details.Use this procedure to configure input rules for the iptables service to watch for and prevent attacks on STA.
For STA, Oracle recommends attaching rules to UDP port 162 (the port on which SNMP traps are received) and on the ports you have defined for the STA managed servers. See the STA Installation and Configuration Guide for details about the ports.
Log in to the STA server as the system root user.
Copy the contents of Example A-1 into a text editor.
Modify the following variables as appropriate for your environment.
INTERFACE—Ethernet interface to watch for attacks (Eth0, for example)
PROTO—Ethernet protocol to watch for attacks (TCP or UDP)
PORT—Port number to watch for attacks
HITS and TIME—Specify reasonable values for the number of requests (HITS) within a given time period, in seconds (TIME). Any host that exceeds the number of requests within the specified time period is blocked from further connections for the remainder of the period.
Save the script and execute it. The new rules are added to the iptables service and take effect immediately.
Verify that STA is still successfully monitoring your libraries. See the STA User's Guide for details.
Example A-1 iptables Sample Script
# The name of the iptable chain CHAIN=INPUT # The ethernet interface to watch for attacks INTERFACE=eth0 # The port number to watch for attacks PORT=80 # The protocol (tcp or udp) PROTO=tcp # A server that sends HITS number of requests within TIME seconds will be blocked HITS=8 TIME=60 # Log filtered IPs to file touch /var/log/iptables.log grep iptables /etc/syslog.conf 1>/dev/null 2>&1 if [$? -ne 0 ]; then echo kern.warning /var/log/iptables.log >> /etc/syslog.conf echo touch /var/log/iptables.log >> /etc/syslog.conf /etc/init.d/syslog restart fi # Undo any previous chaining for this combination of chain, proto, hits, and time /sbin/iptables -L $CHAIN |grep $PROTO |grep $HITS |grep $TIME 1>/dev/null 2>&1 if [$? -eq 0 ]; then R=0 while [$R -eq 0 ]; do /sbin/iptables -D $CHAIN 1 1>/dev/null 2>&1 R=$? done fi # Logging rule /sbin/iptables --append $CHAIN --jump LOG --log-level 4 # Interface rule /sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --set # Blocking rule /sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --update --seconds $TIME --hitcount $HITS --jump DROP