Damian Myerscough wrote:
On 25/05/07, Mike McGrath mmcgrath@redhat.com wrote:
seth vidal wrote:
Here's what I've used in the past.
It allows connections for certain ports/places and then drops
everything
else as the last item.
http://linux.duke.edu/~skvidal/misc/iptables-template
it's pretty painless, really.
If we want to add explicit outbound rules, too, that's fine, but I'd advise enabling logging b/c that stuff is easy to get wrong. :)
This is just a sample but it's simple and straightforward.
Excellent. I much prefer simple firewall rules where possible (its not always possible :)
One RFE:
Could we have a commented section in there to rate limit some of the open ports (http immediately come to mind)? That way if we get slammed again we don't have to go figure out what we've done in the past we can just uncomment it.
What do you think?
-Mike
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
Hey Mike,
For Apache why not deploy the mod_evasive module. What is mod_evasive?
mod_evasive is an evasive maneuvers module for Apache to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and etcetera. mod_evasive presently reports abuses via email and syslog facilities.
I have finished university for the summer, would you like me to look into deploying this next week? Does anyone have any objections to this?
Is mod_evasive in extras/epel?
-Mike