On Wed, 6 Jan 2010, John P. Looney wrote:
> IPTables has rules like 'Only allow 20 new IP connections from any given
> netblock per minute'. It can even do bursts, so you can do '100 per 5
> minutes' etc. My own server has some setup for SSH like that -
> non-whitelisted IPs get 2 ssh requests per 5 minutes, or something like
> that, to stop brute-force attacks filling up my logs.
>> IPTables is not going to help much if someone opens a connection and keeps
> ramming requests down it - I assume Apache closes the socket, if it's being
> abused though.
This is the situation I've got. The connlimit module allows me to set an
absolute limit on concurrent connections, so the need to rate-limit
incoming connections from each source is reduced. Even if I do rate
limit, it's the content of the connections that get through this filter
I'm trying to control.
Apache may or may not close the connection (I've not been around to
observe when the issue is occuring), the problem is that the reverse proxy
doesn't - it appears to ignore Apache's KeepAlive headers, keeping the
connection to the client open regardless.
> You could even put in *huge* limits initially, and monitor syslog to make
> sure that it's OK, and slowly bring them down until you get a false
> positive. Combined with whitelisting (if you have members only area, harvest
> all IPs from that), it's a nice idea.
This looks like the only option I've got - a watcher that adds a DROP rule
when it sees a particular log entry and then removes it X seconds later
(or more likely, adds a timestamp as a comment and then a garbage
collector that cleans up old rules).
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!