1. Administration Guide
  2. Prevent Denial-of-Service Attacks

B Prevent Denial-of-Service Attacks

Use a script to configure input rules for the iptables service to watch for and prevent Denial-of-Service (DoS) on STA.

Note:

This procedure is optional and is provided as information only. Site security must be handled by a qualified security administrator.

The script defines input rules for the iptables service to block hosts based on any of the following criteria:

  • Ethernet interface
  • Ethernet protocol
  • Port number
  • Maximum number of requests within a specified time period

For STA, Oracle recommends attaching rules to UDP port 162 (the port on which SNMP traps are received) and on the ports you have defined for the STA managed servers. See the STA Installation and Configuration Guide for details about the ports.

  1. Configure and verify the library connections on STA. See the STA Installation and Configuration Guide for details on testing the SNMP connection.

  2. Log in to the STA server as the system root user.

  3. Copy the contents of the following script example into a text editor.

    # The name of the iptable chain
CHAIN=INPUT
# The ethernet interface to watch for attacks
INTERFACE=eth0
# The port number to watch for attacks
PORT=80
# The protocol (tcp or udp)
PROTO=tcp
# A server that sends HITS number of requests within TIME seconds will be blocked
HITS=8
TIME=60
# Log filtered IPs to file
touch /var/log/iptables.log
grep iptables /etc/syslog.conf 1>/dev/null 2>&1
if [$? -ne 0 ]; then
 echo kern.warning /var/log/iptables.log >>
 /etc/syslog.conf
 echo touch /var/log/iptables.log >> /etc/syslog.conf
 /etc/init.d/syslog restart
fi
# Undo any previous chaining for this combination of chain, proto, hits, and time
/sbin/iptables -L $CHAIN |grep $PROTO |grep $HITS |grep $TIME 1>/dev/null 2>&1
if [$? -eq 0 ]; then
 R=0
 while [$R -eq 0 ]; do
 /sbin/iptables -D $CHAIN 1 1>/dev/null 2>&1
 R=$?
 done
fi
# Logging rule
/sbin/iptables --append $CHAIN --jump LOG --log-level 4
# Interface rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --set
# Blocking rule
/sbin/iptables --insert $CHAIN --proto $PROTO --dport $PORT --in-interface $INTERFACE --match state --state NEW --match recent --update --seconds $TIME --hitcount $HITS --jump DROP

  4. Modify the following variables as appropriate for your environment.

    • INTERFACE—Ethernet interface to watch for attacks (Eth0, for example)

    • PROTO—Ethernet protocol to watch for attacks (TCP or UDP)

    • PORT—Port number to watch for attacks

    • HITS and TIME—Specify reasonable values for the number of requests (HITS) within a given time period, in seconds (TIME). Any host that exceeds the number of requests within the specified time period is blocked from further connections for the remainder of the period.

  5. Save the script and execute it. The new rules are added to the iptables service and take effect immediately.

  6. Verify that STA is still successfully monitoring your libraries.