Right now netstat lists 200 - 4000 connections to the same IP in India. Seems like some kind of flooding attack to me.
e.g:
tcp 0 0 [removed] 182.65.238.[removed].in-:mysql TIME_WAIT
I've tried to kill current connection with this command but this didn't work
iptables -t filter -I INPUT 1 -p tcp -m tcp -s 182.65.238.[] -j DROP
tcpkill -i any -9 host 182.65.238.[removed]
I've added the IP to ufw and even ban it with fail2ban but I cannot get rid of the open connections.
Two Questions:
- how to kill/close all tcp connections from this IP
- any chance of logging this kind of pattern in order do ban it with a fail2ban jail or set up some iptable chain limitions like for "regular" dos attacks?
systeminfo:
- ubuntu 20.04
- nginx
- ufw
- fail2ban
- syn cookies enabled
- maybe relevant: additional ufw rules I'm using
# Enter rule
-A ufw-before-input -p tcp --dport 80 -j ufw-http
-A ufw-before-input -p tcp --dport 443 -j ufw-http
Limit connections per Class C
-A ufw-http -p tcp --syn -m connlimit --connlimit-above 50 --connlimit-mask 24 -j ufw-http-logdrop
Limit connections per IP
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --set
-A ufw-http -m state --state NEW -m recent --name conn_per_ip --update --seconds 10 --hitcount 20 -j ufw-http-logdrop
Limit packets per IP
-A ufw-http -m recent --name pack_per_ip --set
-A ufw-http -m recent --name pack_per_ip --update --seconds 1 --hitcount 20 -j ufw-http-logdrop
