Rule To Limit Apache (port 80) Connections From 1 IP To 15
Apr 12, 2007any good rule to limit Apache (port 80) connections from 1 IP to 15 with iptables/csf?
And total connections to the box to 100?
ADVERTISEMENT
Limit Apache (thread) Connections Per Request
Jan 9, 2007I've been having trouble the past few days with someone who's been "attacking" my site so to speak by continuously downloading very large files with as many connections as (he) can open. I operate a large downloads site for computer games, this person has selected the largest files (like 400-500MB). Not sure of the real intent other than to clog up my bandwidth capacity. Also he appears to be using proxies since as soon as I ban one, another shows up seeminly from China.
Anyway, I have mod_bw and I've limited the number of connections in the downloads area to 2. While that works ok, his tool uses threads like a download manager would and he's using up 30-40 child threads for his 2 file downloads.
So 2 questions,
Is there anyway to not only limit file downloads to 2, but limit the number of connections per request? Many of my visitors do use download managers and I'd like for them to continue using them but use a reasonable number of threads like 6 or 8, but not 30.
Also, is there a way to restrict access to someone using a proxy?
The VPS Iptables Rule Limit
Aug 7, 2008We installed csf firewall in main node and we have following error when try to start firewall, how can resolve this issue?
[root@m5088 csf]# csf -s
Error: The VPS iptables rule limit (numiptent) is too low (400/400) - stopping firewall to prevent iptables blocking all connections, at line 123
Iptables Rule Limit (numiptent)
Jun 1, 2008I have a openvz based vps server, my vps users have "The VPS iptables rule limit (numiptent)" error when try to install and start any firewall.
how can resolve this issue?
IPTables Rule Using Modules Limit & Length Simoultaneously
Apr 4, 2009I am currently trying to limit incoming UDP length 20 packets on a per IP basis to 5 a second using IPTables on a Linux machine (CentOS 5.2).
Basically, if an IP is sending more than 5 length 20 UDP packet a second to the local machine, I would like the machine to drop the excess length 20 packets coming from that IP.
The modules that should work perfectly for this type of "rule set" are;
- Limiting module
- Length module
Both of which are installed / compiled with the kernel/IPTables correctly and functioning.
I have tried several rule sets, and they all seem to not fully work. Either they drop all UDP length 20 packets going to the local machine or allow all them through.
Below is one of the rule sets I use, and it is not working. Any ideas what the issue could be?
iptables -N UDPC1
iptables -A INPUT -p udp -m length --length 20 -j UDPC1
iptables -A UDPC1 -p udp -m length --length 20 -m limit --limit 5/second -j ACCEPT
iptables -A UDPC1 -j DROP
Limit Connections Per IP
May 15, 2008How can I Limit connections per IP in IIS6?
For example 10 connection per IP is allowed in a minute.
Limit # Ip Connections
May 31, 2008on setting up some sort of firewall who only allows 10 connections from the same ip to avoid spamming, abuse on the server.
How should i do this?
Limit Connections - DDOS
Dec 14, 2008one of my friend say that if i install an apache module which one limit the users conection can help me to protect from ddos.
becaus one of my users domain is under ddos and i think that if i limit his conection, if sombody wants to do ddos and open conection foraxample up 30 he is attacker and ban.
is it right and how i can do it and limit a one user?
Limit Connections Per IP/Hostname
Aug 25, 2007How is this done? from what I gether, there's nothing built into apache which can do this which I personally think is a bit silly as it seems like a common thing. Can anyone offer any help (for apache 2).
View 5 Replies View RelatedHitting Connections Per Second Limit Of RedHat EL
Jun 11, 2009I have a powerful 8 core 8gb ram web server with scsi raid drives running RedHat EL 4. This server handles 2,000 - 3,000 HTTP requests per second via Litespeed httpd without strain (over 60%+ CPU idle time during peak load, under 1% IO wait). As the traffic volume continues to increase I've encountered a strange problem, the symptoms of which are as follows:
- About 1/4 or 1/3 of new connections are not answered by the server - they time out.
- All connections that are answered have exactly 3 seconds added to the time it takes to establish connection with the server (can be seen as "Connecting to ..." phase in FireFox). HTTP response times were tested by Pingdom from multiple locations all over the world.
- The problem is either "on" or "off", it is not gradual.
- Server ping is unaffected during the problem - no delay and no packet drops.
- The problem does not happen during off-peak hours of the day.
If litespeed httpd settings are tweaked to keep as many connections as possible in keepalive state for as long as possible, the problem is avoided, while tens of thousands of connections are kept in keepalive state.
Possible causes that were tested and eliminated: PHP/MySQL load (problem applies to static files exactly the same), CPU / IO / RAM, network uplink, hardware firewall, DNS.
This makes me think that there is some kind of bottleneck of how many NEW connections per second the server can accept. By maxing out keepalive quantity and duration I'm reducing the number of new connections per second. This is a temporary fix that will only work up to a certain point.
After investigation, litespeed staff verified that my litespeed configuration was correct and after some testing said that nothing in litespeed was responsible for this limiting factor. Litespeed process uses relatively little CPU and can definitely handle more volume.
Following sysctl.conf values were increased substantially to see if that will make a difference: tcp_max_syn_backlog, tcp_max_tw_buckets, tcp_max_orphans, netdev_max_backlog, somaxconn, file-max. This didn't produce any results. Disabling syncookies didn't help either. dmesg doesn't have any notices of limits being hit or throttles being applied.
Litespeed staff suggests that likely some limit in linux kernel is being reached. The strange 3 second delay does seem like an "intelligent" DDOS protection strategy of some sort. Perhaps this is some kind of kernel level DDOS protection?
How To Limit Apache2 Global Per IP Connections
Jan 27, 2008Some limit connection mods can limit max connections per vhost, any mod can limit connections to apache server per IP?
View 3 Replies View RelatedAny Firewall For Windows To Limit Connections Per Ip
Apr 26, 2008windows 2003
limit connections per ip to a port
im currently using routix netcom
it can limit the connections( NOT bandwidth) only but not per ip
another firewall which limit connections per ip
Limited HTTPD Connections. How To Not Limit Them
Apr 13, 2007When I SSH'd into my box, I received this message:
example.pl is on this server. HTTPD connections have been limited to restrict this script from overloading server. All servers that have hosted this file need to have extremely limited http connections or have this file removed. It is poorly written and intense on CPU/memory.
How do I go and allow example.pl to be run on my server again? I use it solely for personal sites, so I wish to not have this file blocked and be allowed to run. I've searched for almost an hour now so I figured I would go ahead and post to see if any more experienced members could assist.
500+ Connections To Port 80
May 27, 2007Someone attacked my server yesterday with a script or something. I ran # netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
and it showed me that one client made more than 500 connections to port 80, causing a load higher than 50. I disabled thread and content viewing for guests on my vbulletin forum, and the load went back to 1.5. I analyzed the apache logfile, but it doesn't show any suspicious activity for that client.
How did he manage to make more than 350 connections to my server? With a script or something? I've APF firewall installed in monolythic kernel mode with the standard rules.
How can i prevent such events in the future?
How To Limit Num Of Connections Per Hosted Site On Ded. Server
Jan 24, 2007OS: Linux, on Apache 2.0
=======
Would you know and kindly tell me if there's a way to limit X number of connections per hosted site?
Because I don't want someone with high traffic forum unfairly stealing most connections for himself, which makes other sites suffer in performance.
How To Limit Http/mysql Connections Per Domain
Jun 22, 2007how i can limit http and mysql connection limit on per domain basis.
View 2 Replies View RelatedDeny All Connections To Certain Port, Except For 127.0.0.1
May 28, 2009I have problems configuring some ports and rules on CSF on a cPanel server.
Port 37500 is used by a Java web app, so, i opened both tcp incoming and outgoing ports:
Code:
TCP_IN = "20,21,22,25,26,53,80,110,143,443,465,587,993,995,2082,2083,2086,2087,2095,2096,37500"
TCP_OUT = "20,21,22,25,26,37,43,53,80,110,113,443,587,2087,2089,2703,37500"
Then.. to allow access from the server IP and localhost, added this at csf.allow:
Code:
tcp:in:d=37500:s=127.0.0.1
tcp:in:d=37500:s=my.server.ip.address
csf.ignore:
Code:
127.0.0.1
my.server.ip.address
And to deny all access to the server on that specific port (except for the ones I whitelisted before), added this to csf.deny:
Code:
tcp:in:d=37500:s=0.0.0.0/0
Result = no one can connect to the server on that port, not even from the web app itself, it's not connecting to the port 37500.
How can I configure port 37500 to accept local connections (from the web server) and deny all external connections?
Flood Connections On Port 80
Aug 1, 2007When I check on port 80 connections, I get a list of few IPs with more than 100 connections.
I need to know which website / specific file being downloaded / URL is the IP accessing to? How can I do that?
How To Limit Connections Per IP Address Based On Domain + String
Oct 25, 2009I need to do this:
(1) domain1.com limit to 10 connections per IP per 30 seconds but allow if accessing file beginning with x.php such as x.php?981 x.php?o19
(2) domain2.com limit to 10 connections per IP per 30 seconds only if accessing file beginning with x.php but allow if accessing file beginning with y.php y.php?981 y.php?o19 .....
Limit Bandwidth On Switch Port.
Jun 5, 2007we want to limit the speed on a switch for several users. For example, we want:
User Bandwidth
Adrian 1Mbps
Peter 5Mbps
Luke 4Mbps
Which switches do you recomend for this? Any experiences on their use? Prices?
i know that sounds strange, but imagine Adrian only has access to the net on 1Mbps because that's all he needs.
Apache :: Listen On Port 8080 For IPv4 And On Port 80 For IPv6?
Aug 8, 2013I'm runnung a server with Apache2 (Apache/2.2.16 (Debian 6.0))
I would like Apache2 listen on port 8080 for IPv4 and on port 80 for IPv6.
This is what I have now:
/etc/apache2/ports.conf
Apache :: HTAccess Needs For Rule To Redirect
Feb 21, 2013I have page like that : [URL] ....
I want to permanent redirect it to : [URL] ....
Also needs to redirect all another page have words ( rates ) to index.
Apache Rewrite Rule - 404 Error
Apr 29, 2013I need two rules in apache to work
RewriteRule ^([^/]*).html$ index.php?page=$1 [L]
RewriteRule ^([^/]*)/([^/]*).html$ index.php?pnumber=$1&page=$2 [L]
First one rule does work and /index.php?page=something redirect to /something.html
Second rule does not work /index.php?pnumber=1&page=something need to be /1/something.html
But when make this link i got 404 error the request url not found.
Where is error, an how i can make to second rule work too?
Apache :: Creating Rule For Directory Recursion?
Aug 29, 2013I have a number of WordPress, Drupal, Wiki sites running under RHEL6.
Apache version:httpd -v
Server version: Apache/2.2.15 (Unix)
Server built: Aug 2 2013 08:02:18
We are subject to internal scans by Appscan and Tenable. It is a security requirement so I cannot just block them.
The scanners, of course, attempt to recurse the directory structure and find vulnerable files such as boot.ini, winnt.com and such.
This drives the php content management systems nuts.
Request comes in and is handled by php.
PHP checks the cache for that name and does not find it.
PHP generates a MySQL query and sends it.
MySQL tries and fails to satisfy the query.
MySQL returns result to php.
PHP Writes a cached of the result and presents it to the web.
In other words, a whole lot of processor/memory.
The security scans typically look like......
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:35:15 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET //../../../../../../../../../../../../etc/passwd HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................windowswin.ini HTTP/1.1
[Thu Aug 29 00:32:26 2013] [error] [client XXX.XXX.XXX.XXX] Invalid URI in request GET ....................winntwin.ini HTTP/1.1
I have been able to improve performance, speed and security by mod_rewrite
RewriteRule .*.(dll|ini|exe|com)$ - [R=404,NC]
Now (Finally) the question.
I have not been able to create a rule for the directory recursion.
I want to R=404 any that has a "../.." or "...." or ...." but I can not get it to recognize the string correctly.
I believe that this would improve speed and security.
Apache :: Rewrite Rule For OWASP XSS Conventions
Aug 13, 2014I need to implement prevent XSS attacks by using apache rewrite following rewrite rules for all urls of the domain.
Converting < and > to < and >
Converting ( and ) to ( and )
Converting # and & to # and &
& --> &
< --> <
> --> >
" --> "
' --> '
Apache :: Rewrite Rule Does Redirect Rather Than Proxy
Oct 28, 2014I just installed httpd-2.4.10-win32 and I can't make mod_rewrite to work :
What I'd want is a proxy to receive a print.xxxx.com/appl uri and forwards to appl.serveur.xxxx.com:8080/streammaster
I do
RewriteCond %{HTTP_HOST} print.xxxx.com
RewriteRule /appl/ http://appl.serveur.xxxx.com:8080/streammaster [P]
and I get a redirect : 192.168.250.50 - - [28/Oct/2014:14:55:19 +0100] "GET /appl/ HTTP/1.1" 302 - mod_proxy is loaded and works of course.
I've tried lot of variations (it works the same in a virtual host without rewritecond) to no avail.
Apache :: URL Rewrite Rule Without Permanent Redirect
May 10, 2014I am new to wordpress; I want a url rewrite rule for my htaccess. I want when a user visits www.domain.com/services/manu/ the url on the address bar should be www.domain.com/services/. I don't want a permanent redirect.
View 2 Replies View RelatedApache :: Writing Htaccess Rewrite Rule?
Feb 21, 2014I'm trying to change url structure so instead of /default/category/product.html it would show /category/product.html
With this line I've managed to do it on my personal blog
RedirectMatch 301 /default/(.*) //$1
But when I've implemented it on a customers Magento site it started showing double slashes like this //category/product.html and the whole template just collapsed .
Apache :: HTAccess Won't Process Rewrite Rule Despite Many Attempts
Apr 1, 2015It should be a straight forward change. [URL] .... does not redirect to [URL]...... It simply tries to load /denver-cars/ and denver-cars is in the URL. Am I missing something here? I have tried moving it up and down the list of rules and have tried numerous types of flags to no avail. Everything else in the htacess works fine with out the line:
RewriteRule ^/(.*)-cars/ /newcars-in-$1/ [NC,R=301,L]
Here is my htaccess:
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
# Force www
# Redirect google index dir's to new dir
RewriteRule ^/(.*)-cars/ /newcars-in-$1/ [NC,R=301,L]
[code]....
Apache :: Crafting HTAccess Rule That Looks URL Of Visiting Page
Sep 28, 2013I am new to apache, and really terrible with regular expressions.
How to craft an htaccess rule that looks a the URL of the page you are visiting, and redirects HTTPS to the same URL in HTTP if the URL contains a certain text string (in the case the word "products")...