LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-27-2012, 09:32 AM   #1
teek5449
LQ Newbie
 
Registered: Dec 2009
Posts: 12

Rep: Reputation: 0
Question Need an alternative to connlimit in iptables.


I am looking for an alternative to enforcing a connection limit on my VPS that is not through iptables.

Or, even better I am looking for a way to fix connlimit in iptables. I am receiving an error message on even a simple line such as:
Code:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
the error:
Code:
iptables: Invalid argument. Run `dmesg' for more information.
and from dmesg:
Code:
ip_tables: connlimit match: invalid size 24 != 32
Having Googled this for days on end it seems there is a problem with the connlimit module that the kernel is built with. Reading THIS link there seems to be a problem with the 2.6.18 kernel (of course this is the one that my host is using. They (my host) refuses to acknowledge that there is a problem and of course will not be patching the kernel to accommodate me.

So my question is this; I is there a simple lightweight alternative or a way to fix this issue without my provides assistance. I don't need anything fancy just a way to enforce connlimit. I have csf running and received this error prior to and after installing it.

BTW:
The OS is not important since this will occur with any OS that I choose since it is a VPS and the kernel is out of my hands.
 
Old 02-28-2012, 09:23 AM   #2
teek5449
LQ Newbie
 
Registered: Dec 2009
Posts: 12

Original Poster
Rep: Reputation: 0
Shameless 24 hour bump....

I can't believe that no one, other than me, has never had this issue before?

There are no alternatives connection limiting mechanism in Linux other than using connlimit in iptables?

Won't bump this again if someone can truly tell me that there is no solution to my issue other than to just deal with it
 
Old 02-28-2012, 09:41 AM   #3
raymor
Member
 
Registered: Nov 2005
Posts: 59

Rep: Reputation: 20
I don't know of anything else exactly like connlimit, which makes sense. Why would anyone produce something exactly the same when connlimit already exists? Now if your application were known other, possibly better solutions could be presented. For example, if you're trying to control site ripping by limiting new connections to port 80, not only are there other ways, but much better ways.
 
Old 02-28-2012, 10:23 AM   #4
teek5449
LQ Newbie
 
Registered: Dec 2009
Posts: 12

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by raymor View Post
Why would anyone produce something exactly the same when connlimit already exists?
...agreed, but that is why I am asking for an alternative to connlimit since my provider does not provide kernel support for the option. I am looking for something that is close to the feature that connlimit supplies. I am just looking to simply and effectively provide a means to limit possible DOS attacks and make port scanners a little harder on the hackers. I am already seeing lots of sniffing in my logs already for a non published site.

BTW... there are tons of examples of multiple applications that completely mimic another piece of software. Sometimes people do reinvent the wheel (or more appropriately make another wheel exactly like the other one.) So I guess I am asking for an alternative implementation of connlimit.
 
Old 02-28-2012, 11:45 AM   #5
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,910

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
Originally Posted by teek5449 View Post
Shameless 24 hour bump....
Note that the site does an 'auto-bump' on unanswered posts, and by bumping yourself you overcome that.

Quote:
Originally Posted by teek5449 View Post
There are no alternatives connection limiting mechanism in Linux other than using connlimit in iptables?
One of the problems I had when I first looked at this was that I couldn't really work out what would constitute a solution. You clearly want something a bit like connlimit, but you didn't really explain until this:

Quote:
I am just looking to simply and effectively provide a means to limit possible DOS attacks and make port scanners a little harder on the hackers. I am already seeing lots of sniffing in my logs already for a non published site.
to say what that like-connlimit-but-not-connlimit had to do.

If the meaning of what you say about port scanning is that you would like to limit these (presumed) attack attempts at an early stage, you should look at this
http://cipherdyne.org/psad/

Quote:
psad is a collection of three lightweight system daemons (two main daemons and one helper daemon) that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
Other utilities in a similar area include:
http://www.fail2ban.org/wiki/index.php/Main_Page
http://denyhosts.sourceforge.net/

http://www.linuxquestions.org/questi...iptables-3036/
and always be aware of
http://www.ossec.net/main/attacking-log-analysis-tools

from http://linux.die.net/man/8/iptables
Quote:
connlimit
Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
[!] --connlimit-above n
Match if the number of existing connections is (not) above n.
--connlimit-mask prefix_length
Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32. For IPv6, between 0 and 128.
It looks, possibly, from the error message, as if you are running into some kind of iptables bug where what you are trying to put in as a connlimit instruction is actually being read as a connlimit-mask instruction, and producing the error about the number being wrong. Would a later version of iptables be possible? (I haven't checked the iptables release notes to check whether there is a fix for anything in this area, but that would be the next step, it it were possible to use a later version.)

Quote:
BTW:
The OS is not important...
Well, not to you. It might have helped the LQers to know whether they had experience with that OS specifically - maybe a long shot, but worth trying, no?
 
Old 02-28-2012, 12:45 PM   #6
teek5449
LQ Newbie
 
Registered: Dec 2009
Posts: 12

Original Poster
Rep: Reputation: 0
I appreciate the reply, I was unaware of the auto-bump.

The main issue is that I am unable to use connlimit. I know what it is, what is does, and how important it can be (if utilized properly). As I explained in my initial post: I am on a VPS, my provider is using a kernel that is incompatible with connlimit in iptables. They are unwilling to update the kernel to accommodate me and say that they have had no reports from anyone else about the issue. I have done days of research on this specific bug and can point out exactly what kernel version is incompatible and why but since the version that the host provides is the problematic version I have no options. Downgrading iptables would not be an acceptable solution since I would have to go really far back to a version that has its own issues.

The reason that the OS is irrelevant is directly linked to the bug being kernel related and not OS dependent. No matter what OS I install I will still receive the same error. Hence, I will take help related to any OS as it might just get me going in the right direction.

I held off asking a question here until I had done enough personal searching and research myself so that I won't get the "RTFM" responses that can sometimes take over a thread

Quote:
Originally Posted by salasi View Post
It looks, possibly, from the error message, as if you are running into some kind of iptables bug where what you are trying to put in as a connlimit instruction is actually being read as a connlimit-mask instruction, and producing the error about the number being wrong. Would a later version of iptables be possible? (I haven't checked the iptables release notes to check whether there is a fix for anything in this area, but that would be the next step, it it were possible to use a later version.)
I am on the latest iptables and there is a bug fix but my host, again, unwilling to patch the kernel.

I am currently looking into the xtables-addons (http://xtables-addons.sourceforge.net/) anyone have any history with this route? This is an OS dependent solution but I will take anyone's personal experience with this option.
 
Old 02-28-2012, 01:02 PM   #7
leslie_jones
Member
 
Registered: Sep 2011
Posts: 130

Rep: Reputation: Disabled
Just chipping in briefly with an aside;

I've had a couple of providers where I've been unlucky enough to have severe problems with netfilter/iptables. These have mostly been VPS type affairs - but one company (Easyspace in Glasgow) also exhibited problems with an alleged dedicated server/

Basically similar to what teek5449 is experiencing; basic iptables commands throwing unusual errors with no hits to match on Google. To cut a long short story sideways they were unable to fix the problem because it was related to the visualisation core (I know, I know a provider trying to pass off a VPS as a real, dedicated server - who'd have thought it eh? :-/) the solution - I hate to say - was to move providers. I finally found the meaning of 'you get what you pay for' when I did.

Now, I appreciate that is not going to sound very helpful - but I'm just sharing my experience after being messed around for nearly three months by the said provider. They new there was no way on earth they could fix the issue, but they strung me along until the next quarterly payment was due.

Hopefully you have a dedicated hardware server (not a cloud or vps offering with some backstreet outlet) and none of this is relevant to you.
 
Old 02-28-2012, 03:17 PM   #8
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,910

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Just a quick note to say that one of the links that I posted earlier might not be all that helpful.

There was a confusion in my mind between PSAD, which I linked, and Port Sentry, which I didn't. So, for the sake of completeness:
http://www.linuxhelp.net/guides/portsentry/
http://www.linux.ie/articles/portsen...rtcompared.php
http://www.linuxjournal.com/article/4751
http://www.faqs.org/docs/securing/chap14sec116.html

There is an argument, perhaps overstated in the second of the links given, that looked at from a system perspective, port sentry can make things worse with regard to attacks. I think it would be more correct to say that, if you take the wrong/suboptimal course of action as a result of the information that port sentry gives you, you can make attacks more likely, although you should, if you have done your work carefully, only be making attacks more likely that you know have no chance of succeeding, so care is needed in the use of any such product.

Also note that much of the tutorial information on the interwebs on Port Sentry is really quite old, so I am not sure that PS is being updated much these days. Maybe it doesn't need it...
 
Old 02-28-2012, 06:15 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,457
Blog Entries: 54

Rep: Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897Reputation: 2897
Quote:
Originally Posted by salasi View Post
Port Sentry is really quite old, so I am not sure that PS is being updated much these days.
http://www.linuxquestions.org/questi...6/#post3616972 (2009)
 
  


Reply

Tags
connlimit, firewall, iptables, vps


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTables (connLimit vs hashlimit) nanogoo Linux - Security 3 01-24-2011 04:51 AM
iptables - connlimit doesnt work dlugasx Linux - Server 1 12-30-2010 03:12 AM
Centos 5.0 x86_64: need help adding connlimit module to iptables thanhlong Linux - Enterprise 4 07-14-2008 03:14 AM
connlimit? NightSoul Linux - Software 1 06-21-2006 12:31 AM
Problems with connlimit. mussons Linux - Networking 1 02-10-2004 03:41 PM


All times are GMT -5. The time now is 06:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration