• Sign up for TFS Icon Competition! The prize includes Otland Premium time and a medal, as well as obviously taking part in TFS history.
  • There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux Limit number of connections [DoS prevention]

stian

Banned User
Joined
Oct 29, 2009
Messages
3,755
Reaction score
50
Location
Norway
Here is a simple code that you can use to prevent flood on all ports.

iptables -N conn-flood
iptables -I INPUT 1 -p tcp –syn -j conn-flood
iptables -A conn-flood -m limit –limit 7/s –limit-burst 20 -j RETURN
iptables -A conn-flood -j DROP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

IP's are limited to 7 connections / sec, and overall 20 open connections (+1 icmp). You can likely reduce these without causing lag. With 3/sec website will lag a bit if you got lots of images and css files.

You can also use this, it's the same as above only that it limits the number of connections on all ports and protocols within a time specter. In this case, 19 connections over 3 seconds.

iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

Note, this doesn't prevent bandwidth bound attacks and attacks where origin can be spoofed, aga SYN floods and UDP floods.

To save just run:
/etc/init.d/iptables save
OR
/etc/rc.d/iptables save
(One of them will fail, it depends on distro witch one that is correct)
 
Last edited:

Elexonic

Well-Known Member
Joined
Jun 18, 2008
Messages
1,921
Reaction score
59
Stian please you can create it for window?,

thank you very much
 

nclx

Member
Joined
Jul 18, 2009
Messages
556
Reaction score
15
Why does --connlimit doesn't work anymore?
The message type console blue is not exactly console blue in the TFS
The default monster loot message type in the config lua is still 25, when it should be 21, or it will debug
 
OP
stian

stian

Banned User
Joined
Oct 29, 2009
Messages
3,755
Reaction score
50
Location
Norway
This is linux console commands, not some kind of script :p

connlimit doesn't limit per IP, but total. So I dobt you want to have only 20 connections to your server in total.
 

Znote

<?php echo $title; ?>
Staff member
Global Moderator
Premium User
Joined
Feb 14, 2008
Messages
6,836
Solutions
240
Reaction score
1,644
Location
Norway
GitHub
Znote
Any easy way to specific user and total bandwith consumed by lighttpd?

Lets say:
Uploading at 10KB/sec each user as max.
Maximum bandwidth traffic: 100KB/sec.
Meaning if 8 users surfing at same time, they use 80KB/sec.
If 20 users at same time, they use 100KB/sec max. (since its limited by the maximum bandwith)
Making them aproxly average 5KB/sec each user in this case.

This will strongly reduce spikes on servers. :p And the only negative side would be a slow loading website. (Or not so very slow, if you use external host for images).
 
OP
stian

stian

Banned User
Joined
Oct 29, 2009
Messages
3,755
Reaction score
50
Location
Norway
Niceeeeeeeeeeeeeeeeeeeeee

I have to put those commands every time you restart the computer?

Well, yes.

But you can save them using /etc/init.d/iptables save.

Any easy way to specific user and total bandwith consumed by lighttpd?

Lets say:
Uploading at 10KB/sec each user as max.
Maximum bandwidth traffic: 100KB/sec.
Meaning if 8 users surfing at same time, they use 80KB/sec.
If 20 users at same time, they use 100KB/sec max. (since its limited by the maximum bandwith)
Making them aproxly average 5KB/sec each user in this case.

This will strongly reduce spikes on servers. :p And the only negative side would be a slow loading website. (Or not so very slow, if you use external host for images).

Ehm. Yo ucan do it using QOS rules. Aga trying to make a fair share of the 100kbit.

Or you can try using a reverse proxy aga squid to do this:
http://www.faqs.org/docs/Linux-HOWTO/Bandwidth-Limiting-HOWTO.html
 

Jamzitox

ImperiUs Online
Joined
May 30, 2008
Messages
245
Reaction score
0
Location
Venezuela/Margarita
Tnx, I'll install linux again and again if I ask you ddos attack with help, sincerely and these people who abuse these horny program I have
 

Jamzitox

ImperiUs Online
Joined
May 30, 2008
Messages
245
Reaction score
0
Location
Venezuela/Margarita
sorry for double post but I try to give start the script and I get error

can you tell me how do I give automatic start or shall be opened?

dwpfs6.jpg
 

bolero

MikeHere
Joined
Apr 13, 2009
Messages
1,146
Reaction score
12
Location
Venezuela
Good Stian., But you can say the command for save the iptables? =] Please

Put this in the tutorial please.

Eso instala linux amigo jamzitox =]! Antes q te potee el ote =d
 
OP
stian

stian

Banned User
Joined
Oct 29, 2009
Messages
3,755
Reaction score
50
Location
Norway
Your using Debian?

Try this "hack":
iptables-save > /etc/iptables.rules
Edit / make a file named:
/etc/network/if-pre-up.d/iptables
put:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

chmod +x /etc/network/if-pre-up.d/iptables
 

Evil Mark

Active Member
Joined
Nov 23, 2008
Messages
1,695
Reaction score
32
For those who want Linux to their home computer can download it at ubuntu.com.

Every time you start your computer up it will ask you which OS you want too start up, either Linux or your OS.
 

bolero

MikeHere
Joined
Apr 13, 2009
Messages
1,146
Reaction score
12
Location
Venezuela
I put this..

Code:
[email protected]:~# iptables-save > /etc/iptables.rules
[email protected]:~#

I think this work.

I'm using Ubuntu 9.10

And if this ^^^^^^ work, I need put this?

Edit / make a file named:
/etc/network/if-pre-up.d/iptables
put:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules


Every day we're bigger in linux thanks to you Stian.
 

Jamzitox

ImperiUs Online
Joined
May 30, 2008
Messages
245
Reaction score
0
Location
Venezuela/Margarita
Stian I have a question, as I can do to start the script save it to / etc / init.d / iptables.sh

jaamfr.jpg


And now what? there is no command to turn it on or something, or is automatic, every time you turn on the computer activates the script?
 

Slain

TrueHavoc.com
Joined
Nov 27, 2008
Messages
2,242
Reaction score
31
Here is a simple code that you can use to prevent flood on all ports.



IP's are limited to 7 connections / sec, and overall 20 open connections (+1 icmp). You can likely reduce these without causing lag. With 3/sec website will lag a bit if you got lots of images and css files.

You can also use this, it's the same as above only that it limits the number of connections on all ports and protocols within a time specter. In this case, 19 connections over 3 seconds.



Note, this doesn't prevent bandwidth bound attacks and attacks where origin can be spoofed, aga SYN floods and UDP floods.

To save just run:

(One of them will fail, it depends on distro witch one that is correct)

Lua:
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

I did that and people are having issues with MC'ing, and sometimes even getting into the website..this seems more problematic than helpful..your first suggestion had an issue with the -SYN command.
help plx!
 
Top