If you’re a fan of trying to limit the effects of a DDoS on your services you’ve probably tried to limit the amount of connections that can be made to a port, possibly by using the xt_recent iptables module, by default the limits imposed on the module are rather low, which made this module of limited use in our case due to the large amount of connections we have normally. The default of most distributions only store the last 100 IP’s and 20 timestamps of each packet from those IP’s, we can increase this to allow us to track more connections with more granularity, for example with the changes below we can now monitor up to 200 IP’s and the times of the last 255 packets sent by each IP.
nano /etc/modprobe.d/xt_recent.conf
Add the following line to the file
options xt_recent ip_pkt_list_tot=255 ip_list_tot=200
Before we unload the xt_recent module we need to unload all the modules that use the recent module, we can achieve this by simply using the command
service iptables stop
Alternatively if you’re using csf you can unload all the rules it by simply usingthe below command, there was no need to stop iptables when using this method.
csf -x
Now we can unload the xt_recent module
modprobe -r xt_recent
After the module has unload successfully you can then reload the module with
modprobe xt_recent
Now we can restart iptables
service iptables start
Or if you’re using csf
csf -e
Leave a Reply