* nmap scan makes my apache connection super slow
@ 2009-08-21 9:06 J. Bakshi
2009-08-21 14:34 ` Pascal Hambourg
0 siblings, 1 reply; 4+ messages in thread
From: J. Bakshi @ 2009-08-21 9:06 UTC (permalink / raw)
To: netfilter
Dear list,
nmap scan " nmap -P0 ...." makes my apache connection super slow !!!
The iptables rule sets to cope with scanners I have in my server is
`````````
## SYN-FLOODING PROTECTION
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
## FRAGMENTS
iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i $IFACE -f -j DROP
#XMAS packets
#Incoming malformed XMAS packets. Drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop all NULL packets
#Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#block commonly used port-scanning technique.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "NMAP-XMAS SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "NMAP-NULL SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "SYN/RST SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "SYN/FIN SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
ipt#XMAS packets
#Incoming malformed XMAS packets. Drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop all NULL packets
#Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#block commonly used port-scanning technique.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "NMAP-XMAS SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "NMAP-NULL SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "SYN/RST SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "SYN/FIN SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#XMAS packets
#Incoming malformed XMAS packets. Drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop all NULL packets
#Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#block commonly used port-scanning technique.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "NMAP-XMAS SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "NMAP-NULL SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "SYN/RST SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "SYN/FIN SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## malformed packets
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j
DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j
DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j
DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
````````````````
But nmap scan on the server makes apache connection running on it super
slow !!!
If I stop the scan apache again become normal.
Is there any trick to keep the connection normal even with scanners are
doing their job ? Please suggest how to cope with it.
Thanks
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: nmap scan makes my apache connection super slow
2009-08-21 9:06 nmap scan makes my apache connection super slow J. Bakshi
@ 2009-08-21 14:34 ` Pascal Hambourg
2009-08-21 14:57 ` Simon Ruderich
0 siblings, 1 reply; 4+ messages in thread
From: Pascal Hambourg @ 2009-08-21 14:34 UTC (permalink / raw)
To: J. Bakshi; +Cc: netfilter
Hello,
J. Bakshi a écrit :
>
> nmap scan " nmap -P0 ...." makes my apache connection super slow !!!
What do you mean exactly by "slow" ? Low tranfer rate ? It takes longer
to establish a connection ?
> ## SYN-FLOODING PROTECTION
> iptables -N syn-flood
> iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
> iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
1/s is much too strict. Even in normal use a server may receive much
more connection requests in one second.
> ## FRAGMENTS
> iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
> iptables -A INPUT -i $IFACE -f -j DROP
Useless. Fragment reassembly occurs before the INPUT chains (and even
before PREROUTING chains - except the 'raw' table - when conntrack is
enabled), so there are no fragments there.
> But nmap scan on the server makes apache connection running on it super
> slow !!!
> If I stop the scan apache again become normal.
> Is there any trick to keep the connection normal even with scanners are
> doing their job ? Please suggest how to cope with it.
Make an exception to the syn flood protection for TCP port 80 (or any
port apache listens on), with at least a much higher limit than 1/s. How
high ? Well, as high as your system can take without choking.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: nmap scan makes my apache connection super slow
2009-08-21 14:34 ` Pascal Hambourg
@ 2009-08-21 14:57 ` Simon Ruderich
0 siblings, 0 replies; 4+ messages in thread
From: Simon Ruderich @ 2009-08-21 14:57 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 529 bytes --]
On Fri, Aug 21, 2009 at 04:34:18PM +0200, Pascal Hambourg wrote:
> Make an exception to the syn flood protection for TCP port 80 (or any
> port apache listens on), with at least a much higher limit than 1/s. How
> high ? Well, as high as your system can take without choking.
As a side note somebody doesn't need to SYN-flood Apache to bring
it down, have a look at Slowloris [1].
Simon
[1]: http://ha.ckers.org/slowloris/
--
+ privacy is necessary
+ using http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 835 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* nmap scan makes my apache connection super slow
@ 2009-08-24 4:49 J. Bakshi
0 siblings, 0 replies; 4+ messages in thread
From: J. Bakshi @ 2009-08-24 4:49 UTC (permalink / raw)
To: netfilter
Dear list,
nmap scan " nmap -P0 ...." makes my apache connection super slow !!!
The iptables rule sets to cope with scanners I have in my server is
`````````
## SYN-FLOODING PROTECTION
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
## Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
## FRAGMENTS
iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i $IFACE -f -j DROP
#XMAS packets
#Incoming malformed XMAS packets. Drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop all NULL packets
#Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#block commonly used port-scanning technique.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "NMAP-XMAS SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "NMAP-NULL SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "SYN/RST SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "SYN/FIN SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
ipt#XMAS packets
#Incoming malformed XMAS packets. Drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop all NULL packets
#Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#block commonly used port-scanning technique.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "NMAP-XMAS SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "NMAP-NULL SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "SYN/RST SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "SYN/FIN SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#XMAS packets
#Incoming malformed XMAS packets. Drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#Drop all NULL packets
#Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#block commonly used port-scanning technique.
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
--log-prefix "NMAP-XMAS SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j LOG \
--log-prefix "NMAP-NULL SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
--log-prefix "SYN/RST SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
--log-prefix "SYN/FIN SCAN:" --log-tcp-options --log-ip-options
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
ables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
## malformed packets
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j
DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j
DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j
DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -i $IFACE -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
````````````````
But nmap scan on the server makes apache connection running on it super
slow !!!
If I stop the scan apache again become normal.
Is there any trick to keep the connection normal even with scanners are
doing their job ? Please suggest how to cope with it.
Thanks
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-08-24 4:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-08-21 9:06 nmap scan makes my apache connection super slow J. Bakshi
2009-08-21 14:34 ` Pascal Hambourg
2009-08-21 14:57 ` Simon Ruderich
2009-08-24 4:49 J. Bakshi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.