how to limit concurrent access to httpd server from same ip

keepwalking
keepwalking used Ask the Experts™
on
how to limit concurrent access to httpd server from same ip  ? i have sometimes incoming scans or dos .... and they open a bunch of concurrent sessions to my httpd server ... how do i limit this ? i want for example max 5 concurrent sessions from 1 ip to my web server


thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AFAIK apache itself cannot limit this. You better do this with your firewall.

Author

Commented:
uhm ... how ?
depends on your firewall, if it is iptables then there is a --limit option for such things
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

XoF

Commented:
>  if it is iptables then there is a --limit option for such things

could be hard stuff using the --limit option, since the OP wants to limit access on a per source-IP basis...
Smells like dynamically generated filter rules, e.g. by a logwatching daemon....
Any other ideas?

-XoF-
XoF

Commented:
Correction:

the "dstlimit" match extension achieves exactly what you want:

iptables -I INPUT -p tcp --dport 80 -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

this will allow one packet/sec for each srcIP-destIP/destPort tupel.

HTH,

-XoF-
XoF

Commented:
Addon:

Sorry, I forgot to mention, that the above rules have to be implemented on the Webserver. If you want to use the rules on your firewall, use these ones:

iptables -I FORWARD -p tcp --dport 80 -d <webserver-IP> -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP>  -j DROP

-XoF-
Commented:
OK, I'm to fast today...;)

As you want to limit the number of concurrent connections, not only packets, I'd implement a SYN-limit:

iptables -I FORWARD -p tcp --dport 80 -d <webserver-IP> --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP> ! --syn -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP> --syn  -j DROP

This will allow an average of 1 syn/sec and max. 5 syns in a burst.

cheers,

-XoF-

Author

Commented:
wow cool thanks
I have error:

[root@localhos]# /sbin/iptables -I FORWARD -p tcp --dport 80  --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.3.5: Couldn't load match `dstlimit':/lib/iptables/libipt_dstlimit.so: cannot open shared object file: No such file or directory

How to resolve it?

Thank you much !!!
I guess iptables got some updates meanwhile and the dstlimit module is either embeded or missing, check your docs

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial