I've got a lot of vulnerability scans via HTTP requests (trying to get /password.txt, etc). Currently I use fail2ban to parse Nginx access log to count 404's and ban attacker ip addresses. I'm wondering if it possible to simply configure iptables to rate limit HTTP requests instead?
I tried something like this
iptables -I INPUT -p tcp --dport 2012 -i eth0 -m state --state NEW -m recent --updat…e --seconds 60 --hitcount 5 -j REJECT --reject-with icmp-host-unreachable
but apparently it does not work as expected. My guess is that the malicious HTTP requests are piped through a single persistent connection so the above iptables rule is not triggered.
So my question is: is it possible to rate limit HTTP requests in iptables, or I should stick with fail2ban? Thanks!
Best Answer
The problem is HTTP 1.1. You'll have to configure your web server to downgrade the connection to 1.0 in order to kill keepalive if you want this to work.