LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Rate limiting apache requests per second

[ILUG] Rate limiting apache requests per second

Ronan Mullally ronan at iol.ie
Wed Jan 6 11:44:59 GMT 2010 

Hi John,

On Wed, 6 Jan 2010, John P. Looney wrote:

>  IPTables has rules like 'Only allow 20 new IP connections from any given
> netblock per minute'. It can even do bursts, so you can do '100 per 5
> minutes' etc. My own server has some setup for SSH like that -
> non-whitelisted IPs get 2 ssh requests per 5 minutes, or something like
> that, to stop brute-force attacks filling up my logs.
>
>  IPTables is not going to help much if someone opens a connection and keeps
> ramming requests down it - I assume Apache closes the socket, if it's being
> abused though.

This is the situation I've got.  The connlimit module allows me to set an
absolute limit on concurrent connections, so the need to rate-limit
incoming connections from each source is reduced.  Even if I do rate
limit, it's the content of the connections that get through this filter
I'm trying to control.

Apache may or may not close the connection (I've not been around to
observe when the issue is occuring), the problem is that the reverse proxy
doesn't - it appears to ignore Apache's KeepAlive headers, keeping the
connection to the client open regardless.

> You could even put in *huge* limits initially, and monitor syslog to make
> sure that it's OK, and slowly bring them down until you get a false
> positive. Combined with whitelisting (if you have members only area, harvest
> all IPs from that), it's a nice idea.

This looks like the only option I've got - a watcher that adds a DROP rule
when it sees a particular log entry and then removes it X seconds later
(or more likely, adds a timestamp as a comment and then a garbage
collector that cleans up old rules).


-Ronan

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell