Security – Rate limiting with UFW: setting limits

brute-force-attacksfirewallrate-limitingSecurityufw

UFW's man page mentions that it can setup iptables rate limiting for me:

ufw supports connection rate limiting, which is useful for
protecting
against brute-force login attacks. ufw will deny connections if an IP
address has attempted to initiate 6 or more connections in the last 30
seconds. See http://www.debian-administration.org/articles/187 for
details. Typical usage is:
     ufw limit ssh/tcp

Unfortunately this is all the documentation that I could find. I would like to stick with UFW, and not use more complicated iptables commands (to keep things "uncomplicated").

How would I use ufw to limit all incoming (so not outgoing) traffic on port 80 to 20 connections per 30 seconds? How would I disable rate limiting for ports 30000 to 30005? Is rate limiting enabled by default for all ports?

Best Answer

UFW is designed to be "uncomplicated," which in this case means you don't have control over the particulars of the rate to which connections are limited. If you want to dig into the Python source of UFW, you could find out how to tweak it. The appropriate information is (on my Ubuntu 10.04 system) in /usr/share/pyshared/ufw/backend_iptables.py

Setting the timing issue aside, therefore, here are some answers to your rapid-fire questions at the end.

Assuming 10.10.10.0/24 is your local network, this applies the default limiting rule to port 80/tcp incoming:
```
ufw limit from any to 10.10.10.0/24 port http comment 'limit web'
```
and 3. Rate limiting is not turned on by default. To add it to every (destination) port except the range you want, use this rule. Note that rules (even with ranges) are atomic units and cannot be split up. You cannot, for example, add a rule for any port, then delete a (nonexistent) rule for a particular range to remove it. limit is not an acceptable argument to ufw default, either.
```
ufw limit from any to any port 0:29999,30006:65535
```

Related Solutions

Debian – Use iptables rate limiting to temporarily block FTP server brute-force attempts

iptables -A INPUT -p tcp -m state --state NEW --dport 21 -m recent --name ftpattack --set
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j LOG --log-prefix 'FTP REJECT: '
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --name ftpattack --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset

these rules near or at the top of your ruleset will allow only three connections to port 21, from any given IP address, in a rolling 60-second window. To allow n, use --hitcount n+1; to use a bigger window than 60 seconds, increase --seconds 60.

Linux – Should I rate-limit packets with iptables

A rate limit is not a prevention but rather an invitation to DoS - especially in the flavor presented above where packets are going to be dropped if a certain rate of unauthenticated packets without state information has been exceeded. Since everybody can forge packets (including source IP addresses) at this connection state without greater effort, a new DoS attack vector leveraging your rate limit facility will arise.

A rate limit generally will only make sense if you have

either a predictable hard or a soft connection limit in your configuration
set the rate limit for general traffic below this limit in order to be able to set up connections for priority or administrative traffic regardless of the load

While 1. often is hard enough to determine to even bother, 2. will obviously only work if you are able to reliably differentiate "priority or administrative" traffic from the rest upon connection setup - e.g. if it is coming through a different network interface.

In other cases, it would rather reduce your system's resiliency than add to it.

Best Answer

Related Solutions

Debian – Use iptables rate limiting to temporarily block FTP server brute-force attempts

Linux – Should I rate-limit packets with iptables

Related Topic