Results 1 to 9 of 9
  1. #1
    Join Date
    Apr 2009
    Posts
    1,321

    How to limit connections per IP based on domain + string

    I need to do this:

    (1) domain1.com limit to 10 connections per IP per 30 seconds but allow if accessing file beginning with x.php such as x.php?981 x.php?o19

    (2) domain2.com limit to 10 connections per IP per 30 seconds only if accessing file beginning with x.php but allow if accessing file beginning with y.php y.php?981 y.php?o19


    Found 2 articles that helps somewhat but not exactly what I am looking for:
    http://www.debian-administration.org/articles/187
    http://wiztelsys.com/Article_iptables_bob2.html

  2. #2
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    http://dominia.org/djao/limitipconn.html

    Limitipconn can do it based on the vhost, if nothing else you could put different files on different subdomains as a quick way of doing it. You could use redirects to handle this.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  3. #3
    Join Date
    May 2006
    Posts
    1,426
    You can do this with iptables string and limit matches.

    http://www.cyberciti.biz/tips/howto-...n-attacks.html - on using limit for syn attacks

    http://netfilter.org/documentation/H...s-HOWTO-3.html - on using limit and string
    http://wiztelsys.com/Article_iptables_bob2.html - on string match

    You would have to have an overall chain probably starting with a deny and then allowing access per string or whatever.

    here is example of string match rule for deny.
    iptables -I INPUT -j DROP -p tcp -m string --algo bm --string "CLR 1.1.4322"

    You couldnt use string and limit in the same rule I dont think so it would have to be some chain. This can be done though. You should be able to come up with your ruleset using examples of both matches

  4. #4
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    If you are using Apache, you can easily do it with mod_security.
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  5. #5
    Join Date
    May 2006
    Posts
    1,426
    Quote Originally Posted by khunj View Post
    If you are using Apache, you can easily do it with mod_security.
    really, think about what you just said. Look at his post, what he asked and just give us even a faint idea of how you would do that.

    The only way it is possible is using string and limit match iptables chains.

    Example of a chain
    Code:
    iptables -N syn-flood
    iptables -A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
    iptables -A FORWARD -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood
    iptables -A syn-flood -m limit --limit 4/s --limit-burst 16 -j RETURN
    iptables -A syn-flood -m limit --limit 75/s --limit-burst 100 -j RETURN
    iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD " --log-tcp-sequence  --log-tcp-options  --log-ip-options -m limit --limit 1/second
    iptables -A syn-flood -j DROP
    So Op would have to have something like:
    iptables -I INPUT -j ACCEPT -p tcp -m string --algo bm --string "x.php?9"

    Then set the limit before or after that, I am not sure. But it can be done with limit, string and/or recent match.

    Not meaning to be a smartalleck khunj but mod security doesnt do that. No apache module would do what he is talking about to my knowledge.

  6. #6
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    433
    Quote Originally Posted by felosi View Post
    The only way it is possible is using string and limit match iptables chains.

    Not meaning to be a smartalleck khunj but mod security doesnt do that. No apache module would do what he is talking about to my knowledge.
    Not only mod_security does that, but, unlike iptables, that's its job and it will do it much better.

    1) iptables :
    - using limit : the OP wants to rate limit an IP with more than 10 hits/30s. The limit module cannot do that as it doesn't keep track of IP but limit anyone and, as usual, will also reject legitimate visitors.
    - using string : string is a very interesting module, but here, your rule will not only process any packet (what is the point of filtering SYN, RST, FIN etc segments ?), regardless of their size (up to 64Kb, ouch...). And of course, if the GET request is splitted in 2 different packets (that's the way the TCP protocol works), iptables will miss it.

    2) mod_security : as said abose, that's its job

    Code:
    # domain1.com :
    
    # filter only domain1.com :
    SecRule REQUEST_HEADERS:Host "!domain1\.com" "skip:5,nolog"
    # track that IP :
    SecAction "initcol:ip=%{REMOTE_ADDR},nolog"
    # decrement the collection (-100 hits every 30s should be enough) :
    SecAction "deprecatevar:ip.maxlimit=100/30,nolog"
    # let it go and skip the next 3 rules if it requested x.php :
    SecRule REQUEST_URI "x\.php" "skip:2,nolog"
    # increment it :
    SecAction "nolog,setvar:ip.maxlimit=+1"
    # if the threasold has been reached, drop it :
    SecRule IP:MAXLIMIT "@gt 10" "drop, log, msg:'dropping %{REMOTE_ADDR} \
       (%{ip.maxlimit} connection attempts)'"
    
    Not to mention that the last line should be replaced with "drop,nolog" in a production server otherwise logs might get quickly flooded
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  7. #7
    Join Date
    May 2006
    Posts
    1,426
    Quote Originally Posted by khunj View Post
    Not only mod_security does that, but, unlike iptables, that's its job and it will do it much better.

    1) iptables :
    - using limit : the OP wants to rate limit an IP with more than 10 hits/30s. The limit module cannot do that as it doesn't keep track of IP but limit anyone and, as usual, will also reject legitimate visitors.
    - using string : string is a very interesting module, but here, your rule will not only process any packet (what is the point of filtering SYN, RST, FIN etc segments ?), regardless of their size (up to 64Kb, ouch...). And of course, if the GET request is splitted in 2 different packets (that's the way the TCP protocol works), iptables will miss it.

    2) mod_security : as said abose, that's its job

    Code:
    # domain1.com :
    
    # filter only domain1.com :
    SecRule REQUEST_HEADERS:Host "!domain1\.com" "skip:5,nolog"
    # track that IP :
    SecAction "initcol:ip=%{REMOTE_ADDR},nolog"
    # decrement the collection (-100 hits every 30s should be enough) :
    SecAction "deprecatevar:ip.maxlimit=100/30,nolog"
    # let it go and skip the next 3 rules if it requested x.php :
    SecRule REQUEST_URI "x\.php" "skip:2,nolog"
    # increment it :
    SecAction "nolog,setvar:ip.maxlimit=+1"
    # if the threasold has been reached, drop it :
    SecRule IP:MAXLIMIT "@gt 10" "drop, log, msg:'dropping %{REMOTE_ADDR} \
       (%{ip.maxlimit} connection attempts)'"
    
    Not to mention that the last line should be replaced with "drop,nolog" in a production server otherwise logs might get quickly flooded
    I guess I stand corrected then. I apologize, I did not know mod security had limiting features. Anyway, at least I guess the Op has some examples to go by

  8. #8
    Join Date
    Apr 2009
    Posts
    1,321
    Quote Originally Posted by khunj View Post
    Not only mod_security does that, but, unlike iptables, that's its job and it will do it much better.

    1) iptables :
    - using limit : the OP wants to rate limit an IP with more than 10 hits/30s. The limit module cannot do that as it doesn't keep track of IP but limit anyone and, as usual, will also reject legitimate visitors.
    - using string : string is a very interesting module, but here, your rule will not only process any packet (what is the point of filtering SYN, RST, FIN etc segments ?), regardless of their size (up to 64Kb, ouch...). And of course, if the GET request is splitted in 2 different packets (that's the way the TCP protocol works), iptables will miss it.

    2) mod_security : as said abose, that's its job

    Code:
    # domain1.com :
    
    # filter only domain1.com :
    SecRule REQUEST_HEADERS:Host "!domain1\.com" "skip:5,nolog"
    # track that IP :
    SecAction "initcol:ip=%{REMOTE_ADDR},nolog"
    # decrement the collection (-100 hits every 30s should be enough) :
    SecAction "deprecatevar:ip.maxlimit=100/30,nolog"
    # let it go and skip the next 3 rules if it requested x.php :
    SecRule REQUEST_URI "x\.php" "skip:2,nolog"
    # increment it :
    SecAction "nolog,setvar:ip.maxlimit=+1"
    # if the threasold has been reached, drop it :
    SecRule IP:MAXLIMIT "@gt 10" "drop, log, msg:'dropping %{REMOTE_ADDR} \
       (%{ip.maxlimit} connection attempts)'"
    
    Not to mention that the last line should be replaced with "drop,nolog" in a production server otherwise logs might get quickly flooded

    Thanks.

    Does this work for the 1st condition or the 2nd condition?

    Can you post the rules for the 2nd condition for me?

    Appreciate it.

  9. #9
    Thanks khunj!
    I have domain abc.net and file Login.aspx and use apache to load balancer. Now i want to limit connections to only Login.aspx file. I use your code

    # abc.net :

    # Chi filter rieng cho abc.net :
    SecRule REQUEST_HEADERS:Host "!www\.abc\.net" "skip:5,nolog"
    # theo doi IP :
    #SecAction "initcol:ip=%{REMOTE_ADDR},nolog"
    # Giam so luot hit (Giam di -100 hit sau moi 30s) :
    #SecAction "deprecatevar:ip.maxlimit=100/30,nolog"
    # Tiep tuc 3 rules neu ket noi toi file Login.aspx :
    #SecRule REQUEST_URI "Login\.aspx" "skip:2,nolog"
    # Tang gia tri len :
    #SecAction "nolog,setvar:ip.maxlimit=+1"
    # Neu so connection dat muc gioi han, drop luon :
    #SecRule IP:MAXLIMIT "@gt 10" "drop, log, msg:'dropping %{REMOTE_ADDR} (%{ip.maxlimit} connection DDOS)'"

    Is this correct? Thanks a lot.
    Sorry for my english.

Similar Threads

  1. Limit connections per IP
    By MahdiGreen in forum Hosting Security and Technology
    Replies: 0
    Last Post: 05-15-2008, 03:02 AM
  2. how to limit http/mysql connections per domain
    By kamyana in forum Hosting Security and Technology
    Replies: 2
    Last Post: 06-22-2007, 01:46 PM
  3. limit connections
    By xfob in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-03-2006, 08:36 AM
  4. how to limit connections per ip
    By Criminal#58369 in forum Programming Discussion
    Replies: 2
    Last Post: 10-25-2004, 06:54 AM
  5. Replies: 17
    Last Post: 07-09-2003, 02:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •