Hi, I want to use a dedicated firewall to protect the web server. firewall operates in bridge mode. Which method is better used to block attacks on a web server?
1.using the module "recent". Count the number of connection requests to the server, and if, for example, the number of requests exceeds N (50) for the time T (3600) seconds, then the block address of the source. Example IPtables rules: iptables -A http_check -m recent --update --seconds 3600 --hitcount 50 -j DROP iptables -A http_check -m recent --set -j ACCEPT iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate NEW -p tcp --dport 80 -j http_check iptables -P FORWARD DROP 2. using the module "recent" and ipset: a) I use "recent" module to collect all the addresses that are trying to connect to the web server: iptables -A hitiplist -m recent --set -j RETURN iptables -P hitiplist ACCEPT iptables -A FORWARD -d web_server_ip -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -d web_server_ip -p tcp --dport 80 -m conntrack --ctstate NEW -j hitiplist iptables -A FORWARD -d web_server_ip -m set --set blacklist src -j DROP iptables -P FORWARD ACCEPT b) perl script processes the file /proc/net/ipt_recent/DEFAULT, looking for the source address from which the value "oldest_pkt" > 50, then puts this address in the file "blacklist". Then insert address by script from blacklist in hash table "ipset" module. Question: 1. which method is more correct and better in terms of performance? 2. Maybe there are other methods?
