A system administrator’s work is never done, especially with DDOS attacks and other security concerns. How do you block traffic from malicious sources? With the iptables command line program, it’s quite easy for an administrator to set up rules based on IP addresses or blocks of addresses.
Rather than discuss the details of the program, let’s discuss the value of installing it on your server in the first place. The rules are easy to set up, and in essence, you can easily block traffic from sources that have proven to be malicious. In theory, you could block traffic on a preemptive basis, such as refusing traffic from blocks belonging to certain ISP’s or countries. The problem with this approach is that you run a severe risk of blocking legitimate traffic.
Once the iptables software is in place, and once it’s configured, you can easily drop in a single IP address or block of addresses in response to DDOS attacks or other malicious activity. This process can also be automated, so that there’s an immediate response in the event of attempted brute force attacks (also addressed with the “bfd” application), DDOS attacks, or other activity that would be a threat to your server’s security.
Obviously, you as an administrator cannot be expected to sit in front of your computer and monitor your server every hour of the day, and neither can your IT staff. That’s where the value of iptables comes in. It’s free, and it’s easy to install. With this in mind, there are no financial issues to consider, other than the amount of time and perhaps money that is involved in tending to security issues.
While iptables won’t prevent every sort of attack against your server, it will immensely help, because it will block malicious traffic before it has a chance to access its target site. This proves valuable on multiple levels, not the least of which is the amount of system resources that will be saved by blocking malicious traffic.
While it’s important to note that iptables may not withstand a planned DDOS attack orchestrated by people with vast resources, it will address most of the minor attempts that seem to occur daily.