2

I've got a lot of vulnerability scans via HTTP requests (trying to get /password.txt, etc). Currently I use fail2ban to parse Nginx access log to count 404's and ban attacker ip addresses. I'm wondering if it possible to simply configure iptables to rate limit HTTP requests instead?

I tried something like this

iptables -I INPUT -p tcp --dport 2012 -i eth0 -m state --state NEW -m recent --updat…e --seconds 60 --hitcount 5 -j REJECT --reject-with icmp-host-unreachable

but apparently it does not work as expected. My guess is that the malicious HTTP requests are piped through a single persistent connection so the above iptables rule is not triggered.

So my question is: is it possible to rate limit HTTP requests in iptables, or I should stick with fail2ban? Thanks!

Improve this question

1 Answer 1

Reset to default
1

The problem is HTTP 1.1. You'll have to configure your web server to downgrade the connection to 1.0 in order to kill keepalive if you want this to work.

Improve this answer
1
  • Thanks for the answer! So it confirmed my original suspicion. Unfortunately it is not OK to downgrade to HTTP/1.0. For most users we need to support keep-alive to keep latency down :( Commented Dec 3, 2010 at 23:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.