0

I see many http ddos requests to my server as serverIP:80. Its possible to block all incoming requests to myServerIP:Port?

user2601969
  • 1
  • 2
  • 1
    Are you running a webserver or not, and if yes, which one? What are you seeing? It is normal to get probes. – Rui F Ribeiro Nov 15 '15 at 09:26
  • Yes, I use apache+nginx. And CPanel. I want block only forward http requests to server IP (without domain name) – user2601969 Nov 15 '15 at 10:23
  • If the one at the front is Apache see my answer bellow about mod_evasive. As for http requests without a domain name, cannot think it brilliant or dumb. What will happen you block requests without domain automatically, and then legitimate requests arrive once without domains, and are blocked immediately? That will be a tough one to debug. I will complete the answer bellow now. – Rui F Ribeiro Nov 15 '15 at 10:29
  • Blocking requests without domains will help me, because domains use cloud flare :) – user2601969 Nov 15 '15 at 11:03
  • If you have a cloud flare frontend, find out which attributes they set on the request and use mod security as I am suggesting bellow. You can also only permit their networks in iptables to reach port 80 however that is bound to give you problems over time. – Rui F Ribeiro Nov 15 '15 at 11:06
  • better yet, you can block them in apache or nginx – Rui F Ribeiro Nov 15 '15 at 11:08

2 Answers2

1

To answer the question:

iptables -A INPUT -p tcp --dport 80 -j DROP

You might want to use REJECT instead of DROP.

But, what's the point of the webserver listening on port 80 then?

Radovan Garabík
  • 1,833
  • 10
  • 15
  • If not using a webserver, better using a DROP. – Rui F Ribeiro Nov 15 '15 at 09:34
  • @RuiFRibeiro But that gives a hint that there is something interesting on that port, just not accessible - assuming other ports are not iptabled. Of course, better solution is to make DROP your default policy. – Radovan Garabík Nov 15 '15 at 09:51
  • The suggestion about making DROP a default policy is a very good one. However if I am blocking a port, I do prefer not to give hints, that is the whole point of it. The Internet is a much more wild place nowadays. – Rui F Ribeiro Nov 15 '15 at 09:54
  • Its block all connections to port 80, but I want block only http connections to server IP (without domain names) – user2601969 Nov 15 '15 at 10:24
  • @user2601969 But unless your setup is somewhat weird, HTTP **means** the port 80. And I do not think you want layer 7 filtering... – Radovan Garabík Nov 16 '15 at 16:56
0

If using a webserver, what you need is mitigating measures.

Apache for instance, has mod_evasive, which I use at work.

At home I just do not bother with most active measures, and just bind all the services to the internal network, including ssh, and I disable pings. The only way to get in from the outside is through VPN.

If you would not be running a webserver, block it using iptables as the other suggestion says.

I would not bother too much about probes.

Another thing more appropriate to play with HTTP requests and get actions based in them is modsecurity, which is probably what you want.

It is a layer 7 stateful firewall for all effects, and it has a language that is very flexible to allow you to do the sort of things you are after. I use it too to mitigate attacks on wordpress, joomla and drupal vhosts.

I will leave you the link

https://www.digitalocean.com/community/tutorials/how-to-set-up-mod_security-with-apache-on-debian-ubuntu

Another approach is to allow cloudflare ranges, and block all other requests at the web server level.

Cloud flare ranges:

IPv4

103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 199.27.128.0/21

IPv6

2400:cb00::/32 2405:8100::/32 2405:b500::/32 2606:4700::/32 2803:f800::/32

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227