• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2154
  • Last Modified:

Limit simultaneous connections per IP on HTTP

Hi,
I'm running CentOS 5 (RHEL 5 clone).
I'm trying to limit simultaneous connections on the http port to 10 connections per IP address at a time.
I'm trying to find a solution to do that without having to use unsupported software / recompiling kernel (to make future software updates the simplest possible).

Currently I found :
- kernel module connlimit for iptables : not compiled in the default kernel.
- kernel module iplimit for iptables : not compiled in the default kernel.
- apache module limitipconn : not supported, no compatible rpm available

I can't believe there is no easy solution for that;
Hope someone knows a good solution to do that with a retail Centos 5 :)
Thank you.
Ben
0
BenMorel
Asked:
BenMorel
  • 5
  • 4
2 Solutions
 
ramazanyichCommented:
you can try mod cband for apache
http://elliottback.com/wp/archives/2006/06/20/bandwidth-connections-limiting-a-how-to-guide/
at this link you will find instructions for Fedora Core ( centos is redhat based so it will be easy for you )
0
 
ramazanyichCommented:
0
 
BenMorelAuthor Commented:
Hi,
Thank you for your answer.
However, it seems that mod_cband does not have the functionnality to limit  the number of active connections based on IP address (only on user & bandwidth).
Any other idea ?
Ben
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
BenMorelAuthor Commented:
Hmm sorry didn't read enough :/
The CBandRemoteSpeed config directive seems to provide this feature.
Do you know if this software is still supported ? Neither cband.linux.pl nor mod-cband.com do work ...
Ben
0
 
ramazanyichCommented:
you can try to get rpm from  http://download.fedora.redhat.com/pub/fedora/linux/extras/6/SRPMS/repoview/mod_cband.html

but as I can see this module doesn't change for some time (maybe it is already good enough) and home site is not accessible
0
 
BenMorelAuthor Commented:
Thank you, but I can't find a version certified for RHEL 5, only for older fedora.
AFAIK, fedora is not 100% RHEL compatible.
And the fact that this software seems to be unsupported now, and the official website still not responding, is not a good point :(

Is there really no solution to do that without installing 3rd party software ? How do regular redhat enterprise customers do to achieve this ? I can't believe redhat suggests them to recompile the kernel (they don't support that) or install 3rd party rpms...

Thanks for your time anyway.
0
 
ramazanyichCommented:
I think you need login to redhat network and then they will provide you a patch by request.
0
 
BenMorelAuthor Commented:
I've no RHN subscription anymore, that's why I'm on centos.
I resolved this by compiling only the connlimit module with kernel & iptables sources.
Thanks anyway for proposing something, you're worth the points.

Regards,
Ben
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now