Skip to content

Instantly share code, notes, and snippets.

@jay-lannister

jay-lannister/prevent-too-many-connections-from-a-single-host.sh

Created November 16, 2014 10:39
Show Gist options
  • Save jay-lannister/c7c41bc868f1156360f4 to your computer and use it in GitHub Desktop.
Save jay-lannister/c7c41bc868f1156360f4 to your computer and use it in GitHub Desktop.
Download ZIP
iptables
Raw
prevent-too-many-connections-from-a-single-host.sh
# Reference: http://security.stackexchange.com/questions/42618/how-to-protect-tomcat-7-against-slowloris-attack
# Use firewall rules to prevent too many connections from a single host. This will mitigate run-of-the-mill Denial of Service attacks but not distributed ones (DDoS).
# Here is an example of an iptables command which can be used to limit the number of concurrent connections that can be established to port 80 from a single client host:
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j REJECT
# This would, however, have side-effects if many users were legitimately connecting from a single IP (e.g. mega-proxy), so the number of connections would need to be tuned reasonably - dependant on the traffic expected.
Raw
redirect-80-to-8080.sh
# references: http://serverfault.com/questions/112795/how-can-i-run-a-server-on-linux-on-port-80-as-a-normal-user
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
# As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
@HackersZone
Copy link

References : My Mind ;)

iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 3 -j DROP # Only 3 Connection Allow
iptables -A OUTPUT -p tcp -m multiport --sport 80 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dport 80 -j ACCEPT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment