Nginx – Is it possible to rate limit HTTP requests with iptables

fail2baniptablesnginx

I've got a lot of vulnerability scans via HTTP requests (trying to get /password.txt, etc). Currently I use fail2ban to parse Nginx access log to count 404's and ban attacker ip addresses. I'm wondering if it possible to simply configure iptables to rate limit HTTP requests instead?

I tried something like this

iptables -I INPUT -p tcp --dport 2012 -i eth0 -m state --state NEW -m recent  --updat…e --seconds 60 --hitcount 5 -j REJECT --reject-with icmp-host-unreachable

but apparently it does not work as expected. My guess is that the malicious HTTP requests are piped through a single persistent connection so the above iptables rule is not triggered.

So my question is: is it possible to rate limit HTTP requests in iptables, or I should stick with fail2ban? Thanks!

Best Answer

The problem is HTTP 1.1. You'll have to configure your web server to downgrade the connection to 1.0 in order to kill keepalive if you want this to work.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Linux – Should I rate-limit packets with iptables

A rate limit is not a prevention but rather an invitation to DoS - especially in the flavor presented above where packets are going to be dropped if a certain rate of unauthenticated packets without state information has been exceeded. Since everybody can forge packets (including source IP addresses) at this connection state without greater effort, a new DoS attack vector leveraging your rate limit facility will arise.

A rate limit generally will only make sense if you have

either a predictable hard or a soft connection limit in your configuration
set the rate limit for general traffic below this limit in order to be able to set up connections for priority or administrative traffic regardless of the load

While 1. often is hard enough to determine to even bother, 2. will obviously only work if you are able to reliably differentiate "priority or administrative" traffic from the rest upon connection setup - e.g. if it is coming through a different network interface.

In other cases, it would rather reduce your system's resiliency than add to it.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Linux – Should I rate-limit packets with iptables

Related Topic