• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2833
  • Last Modified:

how to limit concurrent access to httpd server from same ip

how to limit concurrent access to httpd server from same ip  ? i have sometimes incoming scans or dos .... and they open a bunch of concurrent sessions to my httpd server ... how do i limit this ? i want for example max 5 concurrent sessions from 1 ip to my web server


thanks
0
keepwalking
Asked:
keepwalking
  • 4
  • 3
  • 2
  • +1
1 Solution
 
ahoffmannCommented:
AFAIK apache itself cannot limit this. You better do this with your firewall.
0
 
keepwalkingAuthor Commented:
uhm ... how ?
0
 
ahoffmannCommented:
depends on your firewall, if it is iptables then there is a --limit option for such things
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
XoFCommented:
>  if it is iptables then there is a --limit option for such things

could be hard stuff using the --limit option, since the OP wants to limit access on a per source-IP basis...
Smells like dynamically generated filter rules, e.g. by a logwatching daemon....
Any other ideas?

-XoF-
0
 
XoFCommented:
Correction:

the "dstlimit" match extension achieves exactly what you want:

iptables -I INPUT -p tcp --dport 80 -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

this will allow one packet/sec for each srcIP-destIP/destPort tupel.

HTH,

-XoF-
0
 
XoFCommented:
Addon:

Sorry, I forgot to mention, that the above rules have to be implemented on the Webserver. If you want to use the rules on your firewall, use these ones:

iptables -I FORWARD -p tcp --dport 80 -d <webserver-IP> -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP>  -j DROP

-XoF-
0
 
XoFCommented:
OK, I'm to fast today...;)

As you want to limit the number of concurrent connections, not only packets, I'd implement a SYN-limit:

iptables -I FORWARD -p tcp --dport 80 -d <webserver-IP> --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP> ! --syn -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -d <webserver-IP> --syn  -j DROP

This will allow an average of 1 syn/sec and max. 5 syns in a burst.

cheers,

-XoF-
0
 
keepwalkingAuthor Commented:
wow cool thanks
0
 
kitivracpc2009Commented:
I have error:

[root@localhos]# /sbin/iptables -I FORWARD -p tcp --dport 80  --syn -m dstlimit --dstlimit-mode srcipdstip-dstport --dstlimit 1/sec -j ACCEPT
iptables v1.3.5: Couldn't load match `dstlimit':/lib/iptables/libipt_dstlimit.so: cannot open shared object file: No such file or directory

How to resolve it?

Thank you much !!!
0
 
ahoffmannCommented:
I guess iptables got some updates meanwhile and the dstlimit module is either embeded or missing, check your docs
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now