Пропускане към основното съдържание

Limits Connections Per IP




How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables? You need to use the iptables connlimit module which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
You can use domain controller to This is useful to protect your server or vps box against flooding, spamming or content scraping. Syntax

The syntax is as follows:

 /sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset  
 # save the changes see iptables-save man page, the following is redhat and friends specific command  
 service iptables save  


Example: Limit SSH Connections Per IP / Host

Only allow 3 ssg connections per client host:
 /sbin/iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT  
 # save the changes see iptables-save man page, the following is redhat and friends specific command  
 service iptables save  


Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):
 WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using ! syntax  


 /sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset  
 # save the changes see iptables-save man page, the following is redhat and friends specific command  
 service iptables save  


Skip proxy server IP 1.2.3.4 from this kind of limitations:
 /sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! 1.2.3.4 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset  


Example: Class C Limitations

In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)
 /sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset  
 # save the changes see iptables-save man page  
 service iptables save  


Example: Limit Connections Per Second

The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)
 #!/bin/bash  
 IPT=/sbin/iptables   
 # Max connection in seconds  
 SECONDS=100  
 # Max connections per IP  
 BLOCKCOUNT=10  
 # ....  
 # ..  
 # default action can be DROP or REJECT  
 DACTION="DROP"  
 $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set  
 $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}  
 # ....  
 # ..  


How Do I Test My Firewall Working?
Use the following shell script to connect to your web server hosted at 202.1.2.3:

 #!/bin/bash  
 ip="202.1.2.3"  
 port="80"  
 for i in {1..100}   
 do  
  # do nothing just connect and exit  
  echo "exit" | nc ${ip} ${port};  
 done  


Коментари

Популярни публикации от този блог

DVWA - Brute Force (High Level) - Anti-CSRF Tokens

This is the final "how to" guide which brute focuses Damn Vulnerable Web Application (DVWA), this time on the high security level. It is an expansion from the "low" level (which is a straightforward HTTP GET form attack). The main login screen shares similar issues (brute force-able and with anti-CSRF tokens). The only other posting is the "medium" security level post (which deals with timing issues).


For the final time, let's pretend we do not know any credentials for DVWA.... Let's play dumb and brute force DVWA... once and for all!
TL;DR: Quick copy/paste
1: CSRF=$(curl -s -c dvwa.cookie "192.168.1.44/DVWA/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2) 2: SESSIONID=$(grep PHPSESSID dvwa.cookie | cut -d $'\t' -f7) 3: curl -s -b dvwa.cookie -d "username=admin&password=password&user_token=${CSRF}&Login=Login" "192.168.1.44/DVWA/login.php…

List of TCP and UDP port numbers

This is a list of Internet socket port numbers used by protocols of the transport layer of the Internet Protocol Suite for the establishment of host-to-host connectivity. Originally, port numbers were used by the Network Control Program (NCP) in the ARPANET for which two ports were required for half-duplex transmission. Later, the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) needed only one port for full-duplex, bidirectional traffic. The even-numbered ports were not used, and this resulted in some even numbers in the well-known port number range being unassigned. The Stream Control Transmission Protocol (SCTP) and the Datagram Congestion Control Protocol (DCCP) also use port numbers. They usually use port numbers that match the services of the corresponding TCP or UDP implementation, if they exist. The Internet Assigned Numbers Authority (IANA) is responsible for maintaining the official assignments of port numbers for specific uses. However, many unoff…

Building_kernel_module_example