---

Iptables DOS banning iptables -A INPUT -m hashlimit --hashlimit-above 4/minute --hashlimit-burst 7 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name sshflood -m tcp -p tcp -m state --state NEW --dport 22 -j LIMIT Iptables has a few modules useful for blocking DOS, port scanning, brute force attacks and any attacks involving frequent connections.

• limit - basic limit match rate, uses a global bucket algorithm
• hashlimit - connection rate limiting module that can use a shared counter for a multiple rules, hash based and advanced
• connectionlimit - limit the number of parallel connections
• recent - keep a list of recent connection - useful for blacklisting

Example (SSH brute force, port scanning and general DOS):

iptables -N LIMIT
iptables -A LIMIT -j LOG --log-prefix "IPTABLES LIMIT: "
iptables -A LIMIT -m recent --set --name attacks -j DROP
# Ban attackers for 60 seconds
iptables -A INPUT -m recent --update --seconds 180 --name attacks -j DROP
iptables -A INPUT -m hashlimit --hashlimit-above 4/minute --hashlimit-burst 7 --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name sshflood -p tcp -m state --state NEW --dport 22 -j LIMIT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 139,23,445 -j LIMIT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# port 80 DOS
   iptables -A INPUT -i eth0 -m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-above 20/minute --hashlimit-burst 25 --hashlimit-name DOS -p tcp --dport 80 -m state --state NEW -j LIMIT
# port scanning rule
iptables -A INPUT -i eth0 -m hashlimit --hashlimit-srcmask 32 --hashlimit-mode srcip --hashlimit-above 10/minute --hashlimit-burst 15 --hashlimit-name portscanning -m state --state NEW -j LIMIT

-- AvishaiIshShalom - 01 Aug 2010