I have the following lines at the very top of iptables, these are used to prevent SSH brute force attacks and DDOS attacks:
iptables segment to prevent SSH brute force attacks and DDOS attacks
What bothers me here is "name: DEFAULT" in all three, I am just wondering whether they will all work or one will overwrite another? Any idea how to test it?
Also, I am using Nginx as a reverse proxy for Apache, am I correct using here ports 80 and 443 (i.e. the ones that Nginx is running on) or should I use Apache ports 7080 and 7081 in iptables?
This is running on VPS with Plesk Onyx and Ubuntu 14.04.
Thanks for your help!
Here are the commands that I used to add these lines to iptables:
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -m state --state NEW -m recent --update --seconds 5 --hitcount 20 -j DROP
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
Best Answer
The easiest way to achieve this is by installing fail2ban. It will monitor SSH per default, and dynamically bans IPs that fail to often. You can configure it to monitor any log file, however. So you can include HTTP and HTTPS as well.