web-dev-qa-db-ja.com

IP接続を正しく制限する

この同じテーマについて多くの質問をしました。たとえば、 here および here。

答えは、私はこのようなルールを設定する必要があると言った:

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

次に、次のように残りの追加を開始します。

# Dynamic Badguy List. Detect and DROP Bad IPs that try to access port 20000.
# Once they are on the BADGUY list then DROP all packets from them.

iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j LOG --log-prefix "Port 20000 BAD:" --log-level info
iptables -A INPUT -i eth0 -m recent --update --hitcount 5 --seconds 90000 --name BADGUY -j DROP
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 20000 -m recent --set --name BADGUY -j ACCEPT

私はこれを正確に行いましたが、IPごとに100個以上の接続を開くことができるIPもあります。IP接続を制限する適切な方法は何ですか?

特に興味があるのは:

tcp        0  75981 45.233.22.66:22     77.101.61.108:49746     ESTABLISHED
tcp        0  77442 45.233.22.66:22     77.101.61.108:49866     ESTABLISHED
tcp        0 106643 45.233.22.66:22     77.101.61.108:49662     ESTABLISHED
tcp        0  75826 45.233.22.66:22     77.101.61.108:49727     ESTABLISHED
tcp       97      0 45.233.22.66:22     77.101.61.108:50448     CLOSE_WAIT
tcp        0 105924 45.233.22.66:22     77.101.61.108:49798     ESTABLISHED
tcp        0  77441 45.233.22.66:22     77.101.61.108:49852     ESTABLISHED
tcp        0  77442 45.233.22.66:22     77.101.61.108:49813     ESTABLISHED
tcp        0  75223 45.233.22.66:22     77.101.61.108:49655     ESTABLISHED

そして

tcp        0  73838 45.233.22.66:22     212.252.97.90:24457     ESTABLISHED
tcp        0  73502 45.233.22.66:22     212.252.97.90:24101     ESTABLISHED
tcp        0  74848 45.233.22.66:22     212.252.97.90:24397     ESTABLISHED
tcp        0  70703 45.233.22.66:22     212.252.97.90:24315     ESTABLISHED
tcp        0  70620 45.233.22.66:22     212.252.97.90:24292     ESTABLISHED
tcp        0  73501 45.233.22.66:22     212.252.97.90:24362     ESTABLISHED
tcp        0  73500 45.233.22.66:22     212.252.97.90:24122     ESTABLISHED

これは、ヒットカウントルールが許可するはずの接続よりも多いようです。

ここにiptable vxnlがあります

Chain INPUT (policy ACCEPT 35537 packets, 4077701 bytes)
    pkts      bytes target     prot opt in     out     source               destination
 1939108 97521172 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 flags:0x17/0x02 #conn src/32 > 2 reject-with tcp-reset
 1112785 217196313 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   69985  3510824 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255 LOG flags 0 level 6 prefix "Port 22 BAD:"
   69985  3510824 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            recent: UPDATE seconds: 90000 hit_count: 5 name: BADGUY side: source mask: 255.255.255.255
  217171 11052690 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 recent: SET name: BADGUY side: source mask: 255.255.255.255

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3258297 packets, 496362303 bytes)
    pkts      bytes target     prot opt in     out     source               destination
2
Vlark.Lopin

粘性のあるDDOS攻撃に対して提案されているiptablesルールセットソリューションは、次のスクリプトです。

#!/bin/sh
FWVER=0.01
#
# Vlark.Lopin rule set. Smythies 2016.09.18 Ver:0.01
#     Attempt to manage severe DDOS attack.
#     Port 20000 should only ever have 2 open
#     connections at a time. If more, ban them.
#
#     If too many SSH attempts, ban them.
#     DROP all other unsolicited input.
#     If ssh port has been moved, adjust rules
#     accordingly.
#
#     Requires a larger (1000) than default (100)
#     xt_recent table size.
#
#     See also:
#     http://askubuntu.com/questions/818524/correctly-limit-ip-connections
#     http://askubuntu.com/questions/808297/i-have-massive-attack-on-port-in-my-server
#     http://askubuntu.com/questions/817478/ip-tables-limit-connetion-per-ip-address-can-be-bypassed
#
#     run as Sudo
#

echo "Loading Vlark.Lopin rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Vlark.Lopin
EXTIF="eth0"
# Doug
#EXTIF="enp9s0"
UNIVERSE="0.0.0.0/0"

#Clearing any previous configuration
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
# Otherwise, I can not seem to delete it later on
$IPTABLES -F add-to-connlimit-list
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z

# We want to force load the xt_recent module, so that we override the
# default maximum table size. We want 1000 whereas the default is 100.
# Note: It is unlikely that is needs to be 1000 forever. Once the
# bad guys give up, the attempts will become much less frequent, and
# the table size can probably be reduced to default.
# i.e. this force load segment can be commented out, and then it will
# autoload as required.
#
modprobe xt_recent ip_list_tot=1000

#######################################################################
# USER DEFINED CHAIN SUBROUTINES:
#
# add-to-connlimit-list
# To many connections from an IP address has been detected.
# Add the IP address to the bad guy list, and DROP the packet.
# If desired, comment out the log rule.
$IPTABLES -N add-to-connlimit-list
#$IPTABLES -A add-to-connlimit-list -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -m recent --set --name BADGUY_CONN
$IPTABLES -A add-to-connlimit-list -j LOG --log-prefix "CONNLIMIT_ADD:" --log-level info
$IPTABLES -A add-to-connlimit-list -j DROP

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
# More importantly, this check might prevent lingering packets from
# a forgotten legitimite connection from getting a valid user on the
# bad guy list
#
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT

# Not sure if this one is needed or not
#
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j LOG --log-prefix "IINVALID:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -p tcp -m state --state INVALID -j DROP

# Allow any related traffic coming back to the server in.
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -m state --state ESTABLISHED,RELATED -j ACCEPT

# external interface, from any source, for any remaining ICMP traffic is valid
# Note: consider to not allow, as this is often how bad guys find you
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -j ACCEPT

# Secure Shell on port 22 (Change to whatever port you moved SSH to).
#
# Sometimes I uncomment the next line to simply disable external SSH access.
# Particulalry useful when I am rebooting often, thereby losing my current BADGUY table.
#$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE --dport 22 -j DROP

# Dynamic Badguy List. Detect and DROP Bad IPs that do password attacks on SSH.
# Once they are on the BADGUY list then DROP all packets from them.
# Sometimes make the lock time very long. Typically to try to get rid of coordinated attacks from China.
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j LOG --log-prefix "SSH BAD:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 5 --seconds 90000 --name BADGUY_SSH -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 22 -m recent --set --name BADGUY_SSH -j ACCEPT

# Port 20000. Limit to 2 connections per IP address.
# Otherwise ban them.
# Note: The logging is useful for debugging, but might overwhelm the log files. Comment out the logging rule as required.
#
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j LOG --log-prefix "CONNLIMIT:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -m recent --update --hitcount 1 --seconds 90000 --name BADGUY_CONN -j DROP
$IPTABLES -A INPUT -p tcp --dport 20000 -m connlimit --connlimit-above 2 -j add-to-connlimit-list
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 20000 -j ACCEPT

# port 4 is needed. (Consider doing it the same as the SSH port).
# If UDP is needed, then add it.
#
$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 4 -j ACCEPT

# O.K. at this point, we will DROP the packet, however some will be dropped without logging just to make the log file
# less cluttered.
#
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 33434 -j DROP
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j DROP

# If your log file is too cluttered, consdier to comment out this log rule.
# It is useful for debugging, but might overwhlem your log files.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j LOG --log-prefix "ICATCH:" --log-level info
# With a default policy of DROP, the following rule isn't actually neeeded.
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j DROP

echo Vlark.Lopin rule set version $FWVER done.

このスクリプトをデバッグし、起動時に自動でロードするようにしたい場合は、/etc/network/intefacesファイルに事前設定ディレクティブを追加します。ここに例として私のファイルがあります:

# interfaces file for smythies.com 2016.01.30
#       attempt to set local DNS herein, as the method
#       used with the old 12.04 server no longer works.
#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up /home/doug/init/doug_firewall
dns-nameservers 127.0.0.1

# The primary interface (d-link PCI card)
auto enp4s0
iface enp4s0 inet dhcp

# Local network interface (uses built in ethernet port)
auto enp2s0
iface enp2s0 inet static
  address 192.168.111.1
  network 192.168.111.0
  netmask 255.255.255.0
  broadcast 192.168.111.255

スクリプトファイルの権限は次のとおりです。

$ ls -l /home/doug/init/doug_firewall
-rwxr-xr-x 1 doug doug 61703 Aug 27 15:55 /home/doug/init/doug_firewall

または755。

1
Doug Smythies