Created
July 12, 2015 20:46
-
-
Save jackygurui/c07840938e2377682972 to your computer and use it in GitHub Desktop.
UFW firewall limits for HTTP and HTTPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Start HTTP ### | |
| # Enter rule | |
| -A ufw-before-input -p tcp --dport 80 -j ufw-http | |
| -A ufw-before-input -p tcp --dport 443 -j ufw-http | |
| # Limit connections per Class C | |
| -A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop | |
| # Limit connections per IP | |
| -A ufw-http -m state --state NEW -m recent --name conn_per_ip --set | |
| -A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-http-logdrop | |
| # Limit packets per IP -- not working | |
| #-A ufw-http -m recent --name pack_per_ip --set | |
| #-A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 30 -j ufw-http-logdrop | |
| # DDOS | |
| -A ufw-http -m hashlimit --hashlimit 100/sec --hashlimit-burst 30 --hashlimit-mode srcip --hashlimit-name apache_DDOS --hashlimit-htable-expire 30000 --hashlimit-htable-max 65535 -j ACCEPT | |
| -A ufw-http -j LOG --log-prefix "[UFW DDOS DROP]" | |
| -A ufw-http -j DROP | |
| # Finally accept | |
| -A ufw-http -j ACCEPT | |
| # Log | |
| -A ufw-http-logdrop -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] " | |
| -A ufw-http-logdrop -j DROP | |
| ### End HTTP ### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment