Hello All,
Few of our edge servers are constantly going down and DC suspect a SYN or a Ddos attack. I have turned of the iptables on all my Centos edges since it wil not allow any connections when it is turned on.
-
I am not very good with shell commands. Can some one please tell me how can I edit the file /etc/sysconfig/iptables so that wowza ports are opened?
-
Is it possible to limit the viewer connection refresh per hour by something like this?
iptables -I INPUT -p tcp --dport 1936 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 1936 -i eth0 -m state --state NEW -m recent --update --seconds 3600 --hitcount 3 -j DROP
- How can I verify that this is in fact a connection issue? What tools can I use to detect such? I could not even connect to JMX or SSH when this was happening.
Thank you all for help in advance.
Hi,
So you need to use either ‘vim’ or ‘pico’ as an editor
I would not add a limit, however I would do something like this, i assume you are running Wowza on port 1936 ? rather than 1935 ? if no you can change as needed
iptables -I INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
iptables -I INPUT -p udp -m udp --dport 1934 -j ACCEPT
The port 1934 is for the Wowza load balancer, if you are using it, if not you can omit it.
To look quickly at the number of connections on a server do
netstat -n | grep -i estab
which will show a list of currently connect clients.
I would also advise looking at the tuning guide here
https://www.wowza.com/docs/general-tuning
and setting ulimit to a higher level, if not set already, to 20000 as this may be a factor as Wowza can not get enough open file handles to service connections.
Shamrock
I think the problem is your output statement add
-A OUTPUT -s -j ACCEPT
Shamrock
to keep it consistent with your other entries do
-A OUTPUT -o eth0 -j ACCEPT
Your IPTables seems to be only allowing port 22 outbound, which is why I suspect nothing works with the iptables enabled.
Shamrock
Hello,
Thanks for the reply. I have already set the ulimit to 20K and set the tuning steps.
I am using the following ports for wowza vhost
1935,554,80
I have blocked the port 80 http provider
<!--<HTTPProvider>
<BaseClass>com.wowza.wms.http.HTTPServerVersion</BaseClass>
<RequestFilters>*</RequestFilters>
<AuthenticationMethod>none</AuthenticationMethod>
</HTTPProvider>-->
I would like to block all other ports from these edge servers except for what is needed for wowza. Would adding the following to the iptables do it?
iptables -I INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
When i check the netstat -an i see thousands of connections like this (servers is suppose to have around 1000 connections). As you can see none of the Ips are repeating. So i am not sure if this is a SYN attack as DC suggest or just their network issue.
tcp 0 0 68.68.26.XX:80 212.183.140.57:65517 TIME_WAIT
tcp 0 7637 68.68.26.XX:1935 89.180.92.251:65019 ESTABLISHED
tcp 0 0 68.68.26.XX:80 84.90.193.38:49747 TIME_WAIT
tcp 0 0 68.68.26.XX:80 189.243.181.78:25574 TIME_WAIT
tcp 0 22069 68.68.26.XX:1935 86.61.41.226:52511 ESTABLISHED
tcp 0 21643 68.68.26.XX:1935 84.135.153.8:50943 ESTABLISHED
tcp 0 0 68.68.26.XX:80 189.110.132.39:52515 TIME_WAIT
tcp 0 0 68.68.26.XX:80 189.243.181.78:25573 TIME_WAIT
tcp 0 10281 68.68.26.XX:1935 201.67.161.248:61424 ESTABLISHED
tcp 0 5130 68.68.26.XX:1935 84.150.202.23:55713 ESTABLISHED
tcp 0 0 68.68.26.XX:80 189.243.181.78:25572 TIME_WAIT
tcp 0 9128 68.68.26.XX:1935 200.160.74.239:2798 ESTABLISHED
tcp 0 140400 68.68.26.XX:1935 189.41.178.175:2015 ESTABLISHED
tcp 0 0 68.68.26.XX:80 80.226.24.1:49688 TIME_WAIT
tcp 0 0 68.68.26.XX:80 212.183.140.57:9185 TIME_WAIT
tcp 0 0 68.68.26.XX:80 200.58.84.105:50660 TIME_WAIT
tcp 0 0 68.68.26.XX:80 83.132.108.181:1982 ESTABLISHED
tcp 0 2911 68.68.26.XX:1935 90.222.238.27:50127 ESTABLISHED
tcp 0 7469 68.68.26.XX:80 189.19.209.32:49665 ESTABLISHED
tcp 0 4229 68.68.26.XX:1935 78.29.185.156:2013 ESTABLISHED
tcp 0 110960 68.68.26.XX:80 190.216.2.227:51419 ESTABLISHED
tcp 0 0 68.68.26.XX:80 212.183.140.57:27619 TIME_WAIT
tcp 0 0 68.68.26.XX:80 186.68.199.144:53490 TIME_WAIT
tcp 0 8339 68.68.26.XX:80 65.49.14.47:37616 ESTABLISHED
tcp 0 9939 68.68.26.XX:80 80.25.87.178:24092 FIN_WAIT1
tcp 0 0 68.68.26.XX:80 83.132.108.181:1981 ESTABLISHED
tcp 0 0 68.68.26.XX:1935 80.171.123.8:51519 ESTABLISHED
tcp 0 0 68.68.26.XX:80 201.88.75.2:30966 TIME_WAIT
tcp 0 0 68.68.26.XX:30645 68.68.26.LBALANCER:1935 ESTABLISHED
tcp 0 0 68.68.26.XX:30531 68.68.26.LBALANCER:1935 ESTABLISHED
tcp 0 0 68.68.26.XX:80 186.19.239.82:61769 ESTABLISHED
tcp 0 0 68.68.26.XX:80 186.68.199.144:53492 TIME_WAIT
tcp 0 10850 68.68.26.XX:1935 81.36.159.72:3602 ESTABLISHED
tcp 0 26586 68.68.26.XX:1935 178.7.217.4:51259 ESTABLISHED
tcp 0 26265 68.68.26.XX:1935 84.140.179.48:54510 ESTABLISHED
tcp 0 2682 68.68.26.XX:1935 79.169.160.103:50575 ESTABLISHED
tcp 0 0 68.68.26.XX:80 186.19.239.82:61768 TIME_WAIT
tcp 0 0 68.68.26.XX:80 189.19.209.32:49668 ESTABLISHED
tcp 0 1289 68.68.26.XX:1935 217.129.129.236:50190 ESTABLISHED
tcp 0 0 68.68.26.XX:80 80.226.24.1:22558 TIME_WAIT
tcp 0 0 68.68.26.XX:80 83.55.196.229:4339 TIME_WAIT
tcp 0 0 68.68.26.XX:80 186.68.199.144:53494 TIME_WAIT
tcp 0 0 68.68.26.XX:80 89.214.60.145:49823 TIME_WAIT
tcp 0 0 68.68.26.XX:1935 79.233.231.180:51545 ESTABLISHED
tcp 0 33635 68.68.26.XX:80 186.19.239.82:61770 ESTABLISHED
tcp 0 0 68.68.26.XX:80 186.68.199.144:53495 TIME_WAIT
tcp 0 0 68.68.26.XX:80 84.90.159.196:50938 TIME_WAIT
tcp 0 1297 68.68.26.XX:1935 87.79.61.28:52626 ESTABLISHED
tcp 0 87696 68.68.26.XX:1935 81.106.22.201:50249 ESTABLISHED
tcp 0 74 68.68.26.XX:1935 80.108.71.162:49780 ESTABLISHED
tcp 0 1100 68.68.26.XX:80 187.15.78.91:57056 ESTABLISHED
tcp 0 0 68.68.26.XX:80 189.110.132.39:52535 TIME_WAIT
tcp 0 0 68.68.26.XX:80 84.90.159.196:50936 TIME_WAIT
tcp 0 26265 68.68.26.XX:1935 109.185.142.37:14829 ESTABLISHED
tcp 0 7869 68.68.26.XX:1935 187.15.36.143:61019 ESTABLISHED
tcp 0 14407 68.68.26.XX:1935 86.21.153.0:4979 ESTABLISHED
tcp 0 27437 68.68.26.XX:1935 190.155.43.242:49597 ESTABLISHED
tcp 0 4989 68.68.26.XX:1935 186.250.236.49:4824 ESTABLISHED
tcp 0 0 68.68.26.XX:80 84.90.159.196:50942 TIME_WAIT
tcp 0 1511 68.68.26.XX:1935 83.57.207.26:56852 ESTABLISHED
tcp 0 0 68.68.26.XX:80 88.65.172.241:16099 ESTABLISHED
tcp 0 5831 68.68.26.XX:80 200.43.26.73:1670 ESTABLISHED
tcp 0 0 68.68.26.XX:80 84.90.159.196:50940 TIME_WAIT
tcp 0 0 68.68.26.XX:80 80.128.185.164:52320 TIME_WAIT
tcp 0 202 68.68.26.XX:1935 81.102.227.244:22923 ESTABLISHED
tcp 0 0 68.68.26.XX:80 200.58.84.105:50426 TIME_WAIT
tcp 0 0 68.68.26.XX:1935 77.178.184.119:51079 ESTABLISHED
tcp 0 16859 68.68.26.XX:80 82.130.133.134:50034 ESTABLISHED
tcp 0 2749 68.68.26.XX:1935 89.180.147.78:49565 ESTABLISHED
tcp 0 15847 68.68.26.XX:1935 77.99.71.162:65394 ESTABLISHED
tcp 0 0 68.68.26.XX:80 84.113.230.39:1858 TIME_WAIT
tcp 0 97417 68.68.26.XX:80 189.51.97.16:57264 ESTABLISHED
tcp 0 0 68.68.26.XX:80 80.226.24.1:31498 TIME_WAIT
tcp 0 0 68.68.26.XX:80 212.183.140.57:55282 TIME_WAIT
tcp 0 34570 68.68.26.XX:1935 188.82.167.74:2376 ESTABLISHED
tcp 0 34634 68.68.26.XX:80 189.110.132.39:52541 FIN_WAIT1
tcp 0 0 68.68.26.XX:80 190.230.25.16:22040 TIME_WAIT
tcp 0 77215 68.68.26.XX:1935 31.16.9.160:49481 ESTABLISHED
tcp 0 1289 68.68.26.XX:1935 89.155.95.142:51642 ESTABLISHED
tcp 0 10386 68.68.26.XX:80 93.36.208.169:2986 ESTABLISHED
tcp 0 14843 68.68.26.XX:1935 91.203.67.16:57704 ESTABLISHED
tcp 0 58088 68.68.26.XX:80 189.51.34.155:50813 FIN_WAIT1
tcp 0 0 68.68.26.XX:80 189.110.132.39:52538 TIME_WAIT
tcp 0 0 68.68.26.XX:80 190.216.2.227:47311 TIME_WAIT
tcp 0 0 68.68.26.XX:80 200.136.94.3:36131 FIN_WAIT2
tcp 0 0 68.68.26.XX:80 189.110.132.39:52539 TIME_WAIT
tcp 0 13481 68.68.26.XX:80 189.129.148.117:2965 ESTABLISHED
tcp 0 6728 68.68.26.XX:80 200.58.84.105:50675 FIN_WAIT1
tcp 0 21953 68.68.26.XX:80 84.113.230.39:1860 ESTABLISHED
tcp 0 0 68.68.26.XX:80 189.110.132.39:52537 TIME_WAIT
BTW I am editing the iptables file in etc/sysconfig like this:
# Generated by iptables-save v1.3.5 on Fri Sep 23 14:11:13 2011
*filter
:INPUT DROP [1:48]
:FORWARD DROP [0:0]
:OUTPUT DROP [8:560]
-A INPUT -p tcp -m tcp --dport 8085 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8084 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1935 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1935 -j ACCEPT
-A INPUT -i eth0 -p tcp --destination-port 8084 -j ACCEPT
-A INPUT -i eth0 -p tcp --destination-port 8085 -j ACCEPT
COMMIT
# Completed on Fri Sep 23 14:11:13 2011
Above is refusing any connections from load balancer
I think the problem is your output statement add
-A OUTPUT -s -j ACCEPT
Shamrock
Ethernet IP address like my server IP or like eth0? Also what outgoing ports should I open in case of an load-balancer edge?
Please let me know what you guys have it iptables…thanks