Results 1 to 9 of 9
-
10-25-2009, 05:39 AM #1Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
How to limit connections per IP based on domain + string
I need to do this:
(1) domain1.com limit to 10 connections per IP per 30 seconds but allow if accessing file beginning with x.php such as x.php?981 x.php?o19
(2) domain2.com limit to 10 connections per IP per 30 seconds only if accessing file beginning with x.php but allow if accessing file beginning with y.php y.php?981 y.php?o19
Found 2 articles that helps somewhat but not exactly what I am looking for:
http://www.debian-administration.org/articles/187
http://wiztelsys.com/Article_iptables_bob2.html
-
10-25-2009, 12:21 PM #2Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
http://dominia.org/djao/limitipconn.html
Limitipconn can do it based on the vhost, if nothing else you could put different files on different subdomains as a quick way of doing it. You could use redirects to handle this.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-25-2009, 07:22 PM #3Disabled
- Join Date
- May 2006
- Posts
- 1,426
You can do this with iptables string and limit matches.
http://www.cyberciti.biz/tips/howto-...n-attacks.html - on using limit for syn attacks
http://netfilter.org/documentation/H...s-HOWTO-3.html - on using limit and string
http://wiztelsys.com/Article_iptables_bob2.html - on string match
You would have to have an overall chain probably starting with a deny and then allowing access per string or whatever.
here is example of string match rule for deny.
iptables -I INPUT -j DROP -p tcp -m string --algo bm --string "CLR 1.1.4322"
You couldnt use string and limit in the same rule I dont think so it would have to be some chain. This can be done though. You should be able to come up with your ruleset using examples of both matches
-
10-26-2009, 04:19 AM #4Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
If you are using Apache, you can easily do it with mod_security.
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
10-26-2009, 05:23 AM #5Disabled
- Join Date
- May 2006
- Posts
- 1,426
really, think about what you just said. Look at his post, what he asked and just give us even a faint idea of how you would do that.
The only way it is possible is using string and limit match iptables chains.
Example of a chain
Code:iptables -N syn-flood iptables -A INPUT -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood iptables -A FORWARD -i eth+ -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j syn-flood iptables -A syn-flood -m limit --limit 4/s --limit-burst 16 -j RETURN iptables -A syn-flood -m limit --limit 75/s --limit-burst 100 -j RETURN iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD " --log-tcp-sequence --log-tcp-options --log-ip-options -m limit --limit 1/second iptables -A syn-flood -j DROP
iptables -I INPUT -j ACCEPT -p tcp -m string --algo bm --string "x.php?9"
Then set the limit before or after that, I am not sure. But it can be done with limit, string and/or recent match.
Not meaning to be a smartalleck khunj but mod security doesnt do that. No apache module would do what he is talking about to my knowledge.
-
10-26-2009, 09:52 AM #6Aspiring Evangelist
- Join Date
- Mar 2009
- Location
- /home/khunj
- Posts
- 433
Not only mod_security does that, but, unlike iptables, that's its job and it will do it much better.
1) iptables :
- using limit : the OP wants to rate limit an IP with more than 10 hits/30s. The limit module cannot do that as it doesn't keep track of IP but limit anyone and, as usual, will also reject legitimate visitors.
- using string : string is a very interesting module, but here, your rule will not only process any packet (what is the point of filtering SYN, RST, FIN etc segments ?), regardless of their size (up to 64Kb, ouch...). And of course, if the GET request is splitted in 2 different packets (that's the way the TCP protocol works), iptables will miss it.
2) mod_security : as said abose, that's its job
Code:# domain1.com : # filter only domain1.com : SecRule REQUEST_HEADERS:Host "!domain1\.com" "skip:5,nolog" # track that IP : SecAction "initcol:ip=%{REMOTE_ADDR},nolog" # decrement the collection (-100 hits every 30s should be enough) : SecAction "deprecatevar:ip.maxlimit=100/30,nolog" # let it go and skip the next 3 rules if it requested x.php : SecRule REQUEST_URI "x\.php" "skip:2,nolog" # increment it : SecAction "nolog,setvar:ip.maxlimit=+1" # if the threasold has been reached, drop it : SecRule IP:MAXLIMIT "@gt 10" "drop, log, msg:'dropping %{REMOTE_ADDR} \ (%{ip.maxlimit} connection attempts)'"
NinTechNet
★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
★ NinjaMonitoring : Monitor your website for suspicious activities.
-
10-26-2009, 07:15 PM #7Disabled
- Join Date
- May 2006
- Posts
- 1,426
-
10-27-2009, 01:51 PM #8Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 1,321
-
02-11-2011, 12:40 PM #9New Member
- Join Date
- Feb 2008
- Posts
- 1
Thanks khunj!
I have domain abc.net and file Login.aspx and use apache to load balancer. Now i want to limit connections to only Login.aspx file. I use your code
# abc.net :
# Chi filter rieng cho abc.net :
SecRule REQUEST_HEADERS:Host "!www\.abc\.net" "skip:5,nolog"
# theo doi IP :
#SecAction "initcol:ip=%{REMOTE_ADDR},nolog"
# Giam so luot hit (Giam di -100 hit sau moi 30s) :
#SecAction "deprecatevar:ip.maxlimit=100/30,nolog"
# Tiep tuc 3 rules neu ket noi toi file Login.aspx :
#SecRule REQUEST_URI "Login\.aspx" "skip:2,nolog"
# Tang gia tri len :
#SecAction "nolog,setvar:ip.maxlimit=+1"
# Neu so connection dat muc gioi han, drop luon :
#SecRule IP:MAXLIMIT "@gt 10" "drop, log, msg:'dropping %{REMOTE_ADDR} (%{ip.maxlimit} connection DDOS)'"
Is this correct? Thanks a lot.
Sorry for my english.
Similar Threads
-
Limit connections per IP
By MahdiGreen in forum Hosting Security and TechnologyReplies: 0Last Post: 05-15-2008, 03:02 AM -
how to limit http/mysql connections per domain
By kamyana in forum Hosting Security and TechnologyReplies: 2Last Post: 06-22-2007, 01:46 PM -
limit connections
By xfob in forum Hosting Security and TechnologyReplies: 7Last Post: 03-03-2006, 08:36 AM -
how to limit connections per ip
By Criminal#58369 in forum Programming DiscussionReplies: 2Last Post: 10-25-2004, 06:54 AM -
How to limit number of ftp connections per IP / max ftp connections per username
By nogi in forum Hosting Security and TechnologyReplies: 17Last Post: 07-09-2003, 02:59 AM