Created
September 18, 2012 02:24
-
-
Save lavoiesl/3740917 to your computer and use it in GitHub Desktop.
Rate limit HTTP requests using UFW
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Add those lines after *filter near the beginning of the file | |
| :ufw-http - [0:0] | |
| :ufw-http-logdrop - [0:0] | |
| ### Add those lines near the end of the file | |
| ### Start HTTP ### | |
| # Enter rule | |
| -A ufw-before-input -p tcp --dport 80 -j ufw-http | |
| -A ufw-before-input -p tcp --dport 443 -j ufw-http | |
| # Limit connections per Class C | |
| -A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop | |
| # Limit connections per IP | |
| -A ufw-http -m state --state NEW -m recent --name conn_per_ip --set | |
| -A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-http-logdrop | |
| # Limit packets per IP | |
| -A ufw-http -m recent --name pack_per_ip --set | |
| -A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop | |
| # Finally accept | |
| -A ufw-http -j ACCEPT | |
| # Log-A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] " | |
| -A ufw-http-logdrop -j DROP | |
| ### End HTTP ### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
article with explanation is here: http://blog.lavoie.sl/2012/09/protect-webserver-against-dos-attacks.html