[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2813
  • Last Modified:

how to limit concurrent access to httpd server from same ip

how to limit concurrent access to httpd server from same ip  ? i have sometimes incoming scans or dos .... and they open a bunch of concurrent sessions to my httpd server ... how do i limit this ? i want for example max 5 concurrent sessions from 1 ip to my web server


thanks
0
keepwalking
Asked:
keepwalking
  • 4
  • 3
  • 2
  • +1
1 Solution
 
ahoffmannCommented:
AFAIK apache itself cannot limit this. You better do this with your firewall.
0
 
keepwalkingAuthor Commented:
uhm ... how ?
0
 
ahoffmannCommented:
depends on your firewall, if it is iptables then there is a --limit option for such things
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
XoFCommented:
>  if it is iptables then there is a --limit option for such things

could be hard stuff using the --limit option, since the OP wants to limit access on a per source-IP basis...
Smells like dynamically generated filter rules, e.g. by a logwatching daemon....
Any other ideas?

-XoF-
0
 
XoFCommented:
Correction:

the "dstlimit" match extension achieves exactly what you want:

iptables -I INPUT -p tcp --dport 80 -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

this will allow one packet/sec for each srcIP-destIP/destPort tupel.

HTH,

-XoF-
0
 
XoFCommented:
Addon:

Sorry, I forgot to mention, that the above rules have to be implemented on the Webserver. If you want to use the rules on your firewall, use these ones:

iptables -I FORWARD -p tcp --dport 80 -d <webserver-IP> -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP>  -j DROP

-XoF-
0
 
XoFCommented:
OK, I'm to fast today...;)

As you want to limit the number of concurrent connections, not only packets, I'd implement a SYN-limit:

iptables -I FORWARD -p tcp --dport 80 -d <webserver-IP> --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP> ! --syn -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP> --syn  -j DROP

This will allow an average of 1 syn/sec and max. 5 syns in a burst.

cheers,

-XoF-
0
 
keepwalkingAuthor Commented:
wow cool thanks
0
 
kitivracpc2009Commented:
I have error:

[root@localhos]# /sbin/iptables -I FORWARD -p tcp --dport 80  --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.3.5: Couldn't load match `dstlimit':/lib/iptables/libipt_dstlimit.so: cannot open shared object file: No such file or directory

How to resolve it?

Thank you much !!!
0
 
ahoffmannCommented:
I guess iptables got some updates meanwhile and the dstlimit module is either embeded or missing, check your docs
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now