Posts Tagged ‘iptables’

Passive Mode FTP with iptables

January 21st, 2014 No Comments »

There’s lots of advice on the net about how to setup a server with iptables to allow passive mode FTP. Below is the approach that we’ve found to be most effective.

Start by configuring your FTP daemon to use a fixed range of ports. We use 41361 to 65534 which is the IANA registered ephemeral port range. The exact config depends on what FTP software you’re using:

vsftpd

Edit /etc/vsftpd/vsftpd.conf and add the following lines:

pasv_min_port=49152
pasv_max_port=65534

proftpd

Edit /etc/proftpd.conf and add to the Global section:

 
...... 
PassivePorts 49152 65534
......

Now restart your FTP service so the changes take effect.

Next you’ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat/CentOS just edit /etc/sysconfig/iptables-config and add “ip_conntrack_ftp” to the IPTABLES_MODULES like this:

IPTABLES_MODULES="ip_conntrack_ftp"

Next edit /etc/sysconfig/iptables and add a rule to allow TCP port 21.
The new line is marked in red:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Now restart the iptables service:

/sbin/service iptables restart

You can verify that the correct port range has been registered with lsmod like this:

lsmod | grep conntrack_ftp

and you’ll get something like this:

nf_conntrack_ftp       12913  0 
nf_conntrack           79645  4 nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

And that’s all it takes to get passive mode ftp working behind iptables.

P.S: If your server is behind a physical firewall and you are behind NAT, then you’ll probable need to load the “ip_nat_ftp” iptables module.


Preventing Layer 7 DDoS Attacks on a Service

January 26th, 2011 No Comments »

 

You might heard about Application‐level DDoS (Distributed Denial of Service) attacks on websites such as Twitter, Facebook and Wikileaks. Usually those kind of attacks involves a large number for HTTP/HTTPS requests to specific part of the website that could potentially eat up all the resource of  the server resulting unresponsive behavior from the web server.

There are already some tools available to shut down any website and make it unreachable for legitimate users.

Looking at the technique used to perform this attack, the tool sends about 10 Long HTTP/HTTPS requests per second until it reaches bandwidth or connection limits of the hosts or networking equipment to make it offline.

Now the question is how we can stop this attack? What are the preventive measures against the Layer7 DDoS?

First of all, we start limiting the traffic using hashlimit on iptables. This module can be used to allow just a certain number of packets per minute:

 

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

where "–hashlimit-burst 20" is the burst limit, you can adjust as per your requirement.

Also using Apache you can add a module mod_reqtimeout. This directive can set various timeouts for receiving the request headers and the request body from the client.

Hope this helps…