LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 06-20-2017, 07:06 AM   #1
aidylewis
LQ Newbie
 
Registered: Apr 2016
Posts: 25

Rep: Reputation: Disabled
Decrease ulimit to reduce connections


I am using a Go command line load tool : https://github.com/tsenart/vegeta.

I'd like to set TCP conns to a small limit. This is not included as a flag in the tool. Would it be sensible to lower the ulimit to (eg 200) or maybe limit the ulimit by process?

Many Thanks

Aidy
 
Old 06-21-2017, 01:27 PM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669Reputation: 1669
Ulimit deals with various user limits.

System limits (including some that are per user or per process) are done with sysctl.

If you run "sysctl -a" on your system you can see the various parameters and values (default or set).

Any "set" value you can see in /etc/sysctl.conf. You can override defaults by setting the parameter temporarily OR by adding to sysctl.conf and running sysctl -p to reread it to make them take effect. Anything you add to sysctl.conf would get set again after a reboot. Look for the tcp and network parameters to see if any approximate what you're trying to do.
 
1 members found this post helpful.
Old 06-22-2017, 08:00 AM   #3
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,599
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
A server has to accept a socket-connection request. I don't recall that "ulimit" has anything to do with that. If you want to limit the number of connections, your server has to briefly stop (or delay) accepting them.
 
Old 06-22-2017, 01:50 PM   #4
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,701

Rep: Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208
Quote:
Originally Posted by aidylewis View Post
I am using a Go command line load tool : https://github.com/tsenart/vegeta.

I'd like to set TCP conns to a small limit. This is not included as a flag in the tool. Would it be sensible to lower the ulimit to (eg 200) or maybe limit the ulimit by process?

Many Thanks

Aidy
I have to ask...what problem are you trying to solve?

For example: I get thousands (5K-7K) of smtpd connection attempts daily, but I only accept about 10% of them. The rest are rejected by RBLs and my own block list. The blocking is virtually immediate and doesn't seem to put any strain on the server. There is not, AFAIK, any limit on the number of connections. What connections do you want to limit and why?
 
Old 06-26-2017, 08:58 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,599
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
Quote:
Originally Posted by scasey View Post
For example: I get thousands (5K-7K) of smtpd connection attempts daily, but I only accept about 10% of them.
... and you could stop them cold if you used OpenVPN (with digital certificates) as a bastion to all other services, then issue unique certificates to all authorized users of your service.

You will now receive connection attempts only from possessors of valid, non-revoked certificates, and you will know every single one of them by name.

Presto ... the number of unauthorized access attempts drops to zero. And, if you use tls-auth, your server no longer bothers to begin the authorization handshake sequence unless the supplicant first demonstrates that it is in possession of another digital certificate. This alone could save an enormous amount of now-wasted system resources.

Furthermore: your server will disappear from "port scanning" (which is actually "TCP/IP socket scanning") because OpenVPN uses the UDP protocol, which has no "ports" to scan. Unless one possesses the aforementioned initial certificate, the server will not answer and thus cannot be detected at all. The only doorway into your system is now an impenetrable secret door.

Last edited by sundialsvcs; 06-26-2017 at 09:00 AM.
 
Old 06-26-2017, 10:00 AM   #6
scasey
LQ Veteran
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.9.2009
Posts: 5,701

Rep: Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208Reputation: 2208
Quote:
Originally Posted by sundialsvcs View Post
... and you could stop them cold if you used OpenVPN (with digital certificates) as a bastion to all other services, then issue unique certificates to all authorized users of your service.

You will now receive connection attempts only from possessors of valid, non-revoked certificates, and you will know every single one of them by name.

Presto ... the number of unauthorized access attempts drops to zero. And, if you use tls-auth, your server no longer bothers to begin the authorization handshake sequence unless the supplicant first demonstrates that it is in possession of another digital certificate. This alone could save an enormous amount of now-wasted system resources.

Furthermore: your server will disappear from "port scanning" (which is actually "TCP/IP socket scanning") because OpenVPN uses the UDP protocol, which has no "ports" to scan. Unless one possesses the aforementioned initial certificate, the server will not answer and thus cannot be detected at all. The only doorway into your system is now an impenetrable secret door.
I appreciate what you're saying, but I was talking about the smtpd server listening on port 25. The server that receives email for me and my customers. Pretty much has to be available to anyone who wants to try to send email to us...but if the sender is listed in an RBL or has spammed us in the past, they aren't allowed to connect.

Even switching to VPN for the sending smtp connections would be problematic: Would have to issue certificates and change email client configurations for hundreds of email users at dozens of companies.

Part of my blocking process involves fail2ban additions for failed attempts to login on port 587, tho.

One correction to my earlier post, my smtpd server is currently limited to 20 simultaneous remote connections, by the server software [which is qmail]. I've never seen it reach that limit.

...repeating my question to the OP, What problem are you trying to solve by limiting connections?
And, will sundialsvcs's proposal do what you want to do?

Last edited by scasey; 06-26-2017 at 10:04 AM.
 
  


Reply

Tags
connections, ulimit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Reduce your Apache TIME_WAIT connections LXer Syndicated Linux News 0 05-24-2017 06:03 AM
ulimit -s 40960 vs ulimit ulimit -s 10240 centguy Linux - Software 2 10-22-2016 11:38 PM
[SOLVED] Cannot set ulimit -l, says ulimit: max locked memory: cannot modify limit Xiano Slackware 1 07-24-2014 02:58 AM
How do you decrease available ram dbrazeau Linux - Embedded & Single-board computer 2 08-06-2009 06:38 PM
decrease TIME_WAIT izghitu Linux - Networking 3 06-14-2007 10:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration