LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-12-2004, 02:42 PM   #1
uniQ
Member
 
Registered: Jan 2004
Distribution: SME 6/SuSE9 x64
Posts: 30

Rep: Reputation: 15
Limit connections per source IP addr


Hi, I have a SME 6 box that's being used as a HTTP/FTP/Email server. As often as I tell people on my site 'DON'T CONNECT MORE THEN 2 TIMES!!!', I'll get hemmered (9-10 times per IP on average). Any way that would let me keep any IP from starting more then 2 connections at once to my server would be a life (and bandwidth) saver. Thanks!

-uniQ
 
Old 01-12-2004, 05:59 PM   #2
ac1980
Member
 
Registered: Aug 2003
Location: Trento, Italy
Distribution: Debian testing
Posts: 394

Rep: Reputation: 30
I don't think it can be easily done at system level... you should have a look in your ftpd/httpd documentation (or at least post their names, e.g. "apache"...), or google for a "connections per user"
 
Old 01-12-2004, 07:24 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
There is the iptables extension called connlimit that you can use with the patch-o-matic (POM) tools. Check the docs, but I believe it can limit the number of parallel connections any one host can make. You could possibly just limit the number of packets/sec to do a kind of crude bandwidth contol, but I think the connlimit patch is a much better way to accomplish it.

http://www.netfilter.org/patch-o-mat...base-connlimit

Last edited by Capt_Caveman; 01-12-2004 at 07:28 PM.
 
Old 01-13-2004, 04:05 PM   #4
uniQ
Member
 
Registered: Jan 2004
Distribution: SME 6/SuSE9 x64
Posts: 30

Original Poster
Rep: Reputation: 15
(Newbie)

(Newbie) It tells me in the readme to recompile my kernel, but I never compiled it in the 1st place. Any help? or am I missing something?

-uniQ
 
Old 01-13-2004, 11:49 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Yes, a kernel recompile is necessary. Sounds likely that you have a pre-compiled binary kernel installed now, which isn't much help. What the POM does is patch the kernel source code and any relevent modules, so what you'll need is the kernel source itself. E-Smith uses unmodifed Redht RPMs, so you can download the latest kernel sources from there. Then follow the POM walkthrough here. Then you will need to compile the patched kernel source. You can either use the link they provide to the tldp HOWTO or I recommend the one off the Slackware site here.

One word of caution though, reading through the SME forums, it seems that alot of people are runnning into problems upgrading their kernels with the latest Rehat ones in order to fix the most recent vulnerabitities. So there may or may not be some incompatibilities. In most situations, compiling the kernel is not as bad as people make it out to be. Just make sure to read through the howtos well first so that you know what you're doing and if you have any questions at all about it, go ahead and post a new thread in the appropriate forum (probably linux-general). It's a good experience and teaches you a fair amount about the "nuts-and-bolts" of linux.

As an alternative, you could use iptables to put a packet limit on the offending IP addresses. It's a really ugly hack if you don' t want to recompile the kernel. Something like:

iptables -I INPUT -p tcp -s xxx.xxx.xxx.xxx -m limit --limit 5/sec --limit-burst 10 -j ACCEPT

You'll have to play around with the limit in order to get the right balance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Need a way to limit TCP connections ewerta Linux - Networking 1 07-25-2005 03:54 PM
Linux VPN Connections Limit lucifercipher Linux - Networking 1 04-03-2005 07:58 AM
limit connections Smokey Slackware 1 10-13-2004 02:22 AM
Limit on Telnet Connections ** Urgent powerhouse Linux - Software 3 03-31-2004 07:24 AM
limit cocurrent connections in ipchains milind Linux - Networking 3 09-24-2001 07:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration