This is a personal reminder post.
The easiest attack one can perform on a web server is opening all the connections and do nothing with it. iptables fortunately has a “connlimit” module to avoid this. If you’re using ufw like me you will want to keep your good integration with it.
In the `/etc/ufw/before.rules file, after these lines:
# Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [:] :ufw-before-output - [:] :ufw-before-forward - [:] :ufw-not-local - [:] # End of required lines
You can add this to limit the number of concurrent connections:
# Limit to 10 concurrent connections on port 80 per IP -A ufw-before-input -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j DROP
And this to limit the number of connections:
# Limit to 20 connections on port 80 per 2 seconds per IP -A ufw-before-input -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set -A ufw-before-input -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 2 --hitcount 20 -j DROP
This second rules might create some issues with http clients that don’t support keep-alive (is there any?).
If you want to do some benchmarks (with ApacheBench for example), you need to enable the keep-alive and set the max number of keep-alive requests per connection very high (or unlimited).
In apache config it is set with: