iptables templates
Mike McGrath
mmcgrath at redhat.com
Fri May 25 14:19:18 UTC 2007
Damian Myerscough wrote:
> On 25/05/07, Mike McGrath <mmcgrath at redhat.com> wrote:
>> seth vidal wrote:
>> > Here's what I've used in the past.
>> >
>> > It allows connections for certain ports/places and then drops
>> everything
>> > else as the last item.
>> >
>> > http://linux.duke.edu/~skvidal/misc/iptables-template
>> >
>> > it's pretty painless, really.
>> >
>> > If we want to add explicit outbound rules, too, that's fine, but I'd
>> > advise enabling logging b/c that stuff is easy to get wrong. :)
>> >
>> > This is just a sample but it's simple and straightforward.
>> >
>>
>> Excellent. I much prefer simple firewall rules where possible (its not
>> always possible :)
>>
>> One RFE:
>>
>> Could we have a commented section in there to rate limit some of the
>> open ports (http immediately come to mind)? That way if we get slammed
>> again we don't have to go figure out what we've done in the past we can
>> just uncomment it.
>>
>> What do you think?
>>
>> -Mike
>>
>> _______________________________________________
>> Fedora-infrastructure-list mailing list
>> Fedora-infrastructure-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>>
>
> Hey Mike,
>
> For Apache why not deploy the mod_evasive module. What is mod_evasive?
>
> mod_evasive is an evasive maneuvers module for Apache to provide
> evasive action in the event of an HTTP DoS or DDoS attack or brute
> force attack. It is also designed to be a detection and network
> management tool, and can be easily configured to talk to ipchains,
> firewalls, routers, and etcetera. mod_evasive presently reports abuses
> via email and syslog facilities.
>
> I have finished university for the summer, would you like me to look
> into deploying this
> next week? Does anyone have any objections to this?
>
Is mod_evasive in extras/epel?
-Mike
More information about the infrastructure
mailing list