linux command to prevent dos attack by using netstat and iptables

networking command-line server security iptables

19,644

Well you can not prevent ddos, and 200 requests is rather trivial.

Best you can do , IMO, is to set limits

sudo iptables -A INPUT -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -j REJECT

For port 80, use

sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
sudo iptables -A INPUT -j REJECT

You should be able to adjust those limits to your server.

See: http://blog.bodhizazen.com/linux/prevent-dos-with-iptables/

19,644

Morteza Soltanabadiyan

Updated on September 18, 2022

Comments

Morteza Soltanabadiyan over 1 year
I want to DROP more than 200 requests per ip to prevent ddos attack. this is command that i used to detect requests count per ip :
```
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr
```
now i want add all ip addresses that made more than 200 requests into IPtables to DROP input and out put.
- Admin about 10 years
  
  You realize that the point of a ddos is that the requests come from so many different addresses that you can't block them, rather than loads from a few addresses, and that any but the most simple attacks will still send the incoming traffic to saturate your downlink, whether you reply or not?
- Admin about 7 years
  
  I think your command lists open parallel connections to port 80 per IP address. That's not the same as request count per IP (over some time), but admittedly still a useful metric once your server has started to slow down and requests keep queuing up.
ThisIsNotAnId about 5 years

Are we supposed to use both set of commands? Sorry if it's a basic question, I'm completely new and have no idea what I'm doing.