... sorry about the massive email :( ...
what about REJECT instead DROP ?
iptables -I INPUT -s
Do someone know how can i protect my Server, Iptables rules, Susefirewall?
Now are only 3 IPs sources where the attack comes from (is a small one) ...
iptables -I INPUT -s IP#1 -j DROP iptables -I INPUT -s IP#2 -j DROP iptables -I INPUT -s IP#3 -j DROP It makes no sense at all to add these permanently to your firewall, since an attack usually only lasts a couple of hours/days. After the attack subsides, remove the rules by iptables -D INPUT -s IP#1 -j DROP iptables -D INPUT -s IP#2 -j DROP iptables -D INPUT -s IP#3 -j DROP If you need logging, you may want to insert additional rules to log the dropped packets. Note that a firewall will not help in defending a 'real' DDoS attack, this must be stopped at your uplink.
Should I filter the Ips with Iptables?
Example - apache-error-log:
[Fri Jul 11 15:27:10 2003] [error] [client xxx.xxx.xxx.xxx] request failed: erroneous characters after protocol string: \t\x97\xf2|\xfbS?Xdm8\xd4\xfa\xca\x03\x11\xb1\xa1\xc8\"\x99\xd2\xb7\t\x04zN \xe1\xe7\xc4\xd4^\x83\x02*sD\xfb\xc2R\xe8\x87\xef\x99\xe5Za\xca\x06\x1e\xe8\ x16\xd5\xa9#F\xe3\xe4\x7fD\xeb\x02\xc3\xe4\x01\x1b\xb1\xb0\x1b\x96%\xe6\x0cM \xa4\xc0\xb5\xeb8\xf7z\x99z\x8a\xf2\xda\xef\xbc\xe4\xb4\x99\\p\x11\xc6I\x89e -5\xab\x90\x12\x86Fe\xd7B2\x80+\x9fS\xb0\x1d{\xe0\xe1==x\xca\xbaeb\x1d\xc7g\ x19\x01D\xba\b\xc1\x9b,\x92\xc5\xe7xU\xc2\\\x1b\xb0/\xe3b\x82\xf8\x05\xc75\x 1f\xa0\xd2M\x1a\xab\xfe\x1c\xf4\x8bO\x9ae\xae\xc8\xcb:>\x04\xbd\xeb=\xe6\x7f\xa5W\t\x0fZN\x1f\x18\x95\xd3%|Gh\xadQ\xb9{\x1c\xe7\xdf \x98|\xd6$\xd6\xdc\xa38m\xe7Z\xc7\xe5M\x03\x89\xaa\x1dv\xc4wtq\x14\x10\\\xe7 g0\xed\x9bK\xc1\xba\xeelSi\xf5X\xc7\xa1\xcf\x86L)6\x97\x19\v\xc9\x05]\xe7zZa \b\xd1j1\xda\xd37\x93\x9c\x1a\x05\x8c\xcbvj&\xde\xda\xa7q5w9\xc7K\"\xabU3\xf b\xaf\xd7APn\xa3\b\xbf\x1c\xe9\x84\x9b'\xb6\xecH-\xc6\x8e+j\xa1\x89\xd7\xc8\ x95\xc2/\xf8\xa0\x0fC\x15\x85\xf5\x0c\x83 \xb6\\\x1c\xf5\x8b\x15\x8e\x10.\x98\ xfe
[Fri Jul 11 16:13:03 2003] [error] [client xxx.xxx.xxx.xxx] Invalid URI in request É#26;?¹">¦ñ©æt¨bf8Ó¿óÝ@©êNNËH¤ A$>É?¹
[Fri Jul 11 16:13:09 2003] [error] [client xxx.xxx.xxx.xxx] Invalid URI in request hInW|ÿ ègO
[Fri Jul 11 16:13:18 2003] [error] [client xxx.xxx.xxx.xxx] request failed: erroneous characters after protocol string: \xbe\xb6\x18\xc4>\x81\x18\xe4\xc1\x8ei\xc2\xe9\x0cT\x1c\xd3\xaf\x85t?JXQ\xf 0\xa0S\xa6Ww\xf3\x93k\xef\xacL\xdb\x13+Vg\xac\xde\xf8\x8b]\xb6\xf0_\xec,\xbb \x11\xb4\x0c\xb1g?\xfdb\b\x8f\xbdQ\xee\xf9\\\x1d\xd6\xa4v\xbce\xea\v\t\xa4\x 02\x8a|\xb2\xdb/9\xbaK\x8fM#ir4\x067\xe0\x9e\xe4\x84~r\x98\x11\xb8\xf4\x19\x cbBg\xd3\xaa\xc3\xcf\x15\xb7h\xb9\t\xfe^\xad\xe8k8\x05z9\x91\xfa\xd6\xa8\xf1 \x05o\xf7\xf5dQ\x91\xab\xfa\xa7\x82<]\x81/\xcd+\xd4C\xa6\x9c\xc2E\xc2\xec\xb 7\xee/\xb0\x94 \x89\x1a.\x13\xb1\xdcw\xbfRC\xa3[]\xcf;\x1e\xb5\"nH-\x1b\xa8e\xafBg\xd0\xbd gIw\x1e\x86i\xde\xd1\xee\xebhF\xa2B\x1b\x96\xc1Yz\xccj\xc4Jh\xb2\xcf\xb8\xb1 \\\x8a\xa4\xdaXn\xb0\xcc~C\x97'\x82A\xc0\x83%u\x14\xfa\xa8f\x0c\xeb\x86\xf8\ x0e\xf9c\x92\xf9T?|\xfe:O\x1f\xad;R{\xa8W\x17'\xf7\xb3bd#\xc9\x97\x98JH}\xfe \x0ceC\x9c\xa7r\xc0v`\xb1\xff\x02&j\xfb\xdbr;\xa7\xb9q\xb02\xa1e\x14\x88YILk \x9b\x11\x8e\xb0\xf1\xe6\xcc\xfb;\xc2F\xa2M\xbe\x03\x9c\x0c\xb7\xb7\xdbtG\xe a\xdd\xdf\xf3W\x7f\x85\xa6\x92\x11@_\xee\xaf\x92'\x9e\xce\xe9E\x1a\x15\"\xb3 \xc4nKI\xb4\xa4n\xb5\xa0\x8b\xfb\x83\x0f\xfa\xbcS\xaaB\xd2\x8a\xd5\x8d\xcaU\ x9b\t-\xea\xe5IR\x12\xf0\xe7v\xe3\xfeo\x0e\xd2Lx\\\xeaD\x14@W\xf2kQ'\xbc\xa2 V\xc5iY\xe6RGs\xc0\x8fm\xa7j\xfa0\x8cv\xecZN\xa8's\xeb\\\xae?\xa3\"\xd9\x88\ xa9\xaa\xa8\x1e\x1f\xe7X\x1bBo4k\xe0!\xae\x8c\x13\v\xae\x93S:i_b\\V\xdeK\xa5 \xad~\xc0\x8dY\x8d\x9c\x17\xa3
--------------------------------- Internet GRATIS es Yahoo! Conexión. Usuario: yahoo; contraseña: yahoo Desde Buenos Aires: 4004-1010 Más ciudades: clic aquí.