• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Linux Limit number of connections [DoS prevention]

stian

Banned User
Joined
Oct 29, 2009
Messages
3,755
Reaction score
50
Location
Norway
Here is a simple code that you can use to prevent flood on all ports.

iptables -N conn-flood
iptables -I INPUT 1 -p tcp –syn -j conn-flood
iptables -A conn-flood -m limit –limit 7/s –limit-burst 20 -j RETURN
iptables -A conn-flood -j DROP
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -j DROP

IP's are limited to 7 connections / sec, and overall 20 open connections (+1 icmp). You can likely reduce these without causing lag. With 3/sec website will lag a bit if you got lots of images and css files.

You can also use this, it's the same as above only that it limits the number of connections on all ports and protocols within a time specter. In this case, 19 connections over 3 seconds.

iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

Note, this doesn't prevent bandwidth bound attacks and attacks where origin can be spoofed, aga SYN floods and UDP floods.

To save just run:
/etc/init.d/iptables save
OR
/etc/rc.d/iptables save
(One of them will fail, it depends on distro witch one that is correct)
 
Last edited:
Stian please you can create it for window?,

thank you very much
 
Why does --connlimit doesn't work anymore?
The message type console blue is not exactly console blue in the TFS
The default monster loot message type in the config lua is still 25, when it should be 21, or it will debug
 
This is linux console commands, not some kind of script :p

connlimit doesn't limit per IP, but total. So I dobt you want to have only 20 connections to your server in total.
 
Any easy way to specific user and total bandwith consumed by lighttpd?

Lets say:
Uploading at 10KB/sec each user as max.
Maximum bandwidth traffic: 100KB/sec.
Meaning if 8 users surfing at same time, they use 80KB/sec.
If 20 users at same time, they use 100KB/sec max. (since its limited by the maximum bandwith)
Making them aproxly average 5KB/sec each user in this case.

This will strongly reduce spikes on servers. :p And the only negative side would be a slow loading website. (Or not so very slow, if you use external host for images).
 
Niceeeeeeeeeeeeeeeeeeeeee

I have to put those commands every time you restart the computer?

Well, yes.

But you can save them using /etc/init.d/iptables save.

Any easy way to specific user and total bandwith consumed by lighttpd?

Lets say:
Uploading at 10KB/sec each user as max.
Maximum bandwidth traffic: 100KB/sec.
Meaning if 8 users surfing at same time, they use 80KB/sec.
If 20 users at same time, they use 100KB/sec max. (since its limited by the maximum bandwith)
Making them aproxly average 5KB/sec each user in this case.

This will strongly reduce spikes on servers. :p And the only negative side would be a slow loading website. (Or not so very slow, if you use external host for images).

Ehm. Yo ucan do it using QOS rules. Aga trying to make a fair share of the 100kbit.

Or you can try using a reverse proxy aga squid to do this:
http://www.faqs.org/docs/Linux-HOWTO/Bandwidth-Limiting-HOWTO.html
 
Tnx, I'll install linux again and again if I ask you ddos attack with help, sincerely and these people who abuse these horny program I have
 
sorry for double post but I try to give start the script and I get error

can you tell me how do I give automatic start or shall be opened?

dwpfs6.jpg
 
Good Stian., But you can say the command for save the iptables? =] Please

Put this in the tutorial please.

Eso instala linux amigo jamzitox =]! Antes q te potee el ote =d
 
Code:
root@199:~# /etc/init.d/iptables save
-bash: /etc/init.d/iptables: No such file or directory
root@199:~# /etc/rc.d/iptables save
-bash: /etc/rc.d/iptables: No such file or directory
 
Your using Debian?

Try this "hack":
iptables-save > /etc/iptables.rules
Edit / make a file named:
/etc/network/if-pre-up.d/iptables
put:
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules

chmod +x /etc/network/if-pre-up.d/iptables
 
For those who want Linux to their home computer can download it at ubuntu.com.

Every time you start your computer up it will ask you which OS you want too start up, either Linux or your OS.
 
I put this..

Code:
root@199:~# iptables-save > /etc/iptables.rules
root@199:~#

I think this work.

I'm using Ubuntu 9.10

And if this ^^^^^^ work, I need put this?

Edit / make a file named:
/etc/network/if-pre-up.d/iptables
put:

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.rules


Every day we're bigger in linux thanks to you Stian.
 
Stian I have a question, as I can do to start the script save it to / etc / init.d / iptables.sh

jaamfr.jpg


And now what? there is no command to turn it on or something, or is automatic, every time you turn on the computer activates the script?
 
Here is a simple code that you can use to prevent flood on all ports.



IP's are limited to 7 connections / sec, and overall 20 open connections (+1 icmp). You can likely reduce these without causing lag. With 3/sec website will lag a bit if you got lots of images and css files.

You can also use this, it's the same as above only that it limits the number of connections on all ports and protocols within a time specter. In this case, 19 connections over 3 seconds.



Note, this doesn't prevent bandwidth bound attacks and attacks where origin can be spoofed, aga SYN floods and UDP floods.

To save just run:

(One of them will fail, it depends on distro witch one that is correct)

Lua:
iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 3 --hitcount 20 -j DROP

I did that and people are having issues with MC'ing, and sometimes even getting into the website..this seems more problematic than helpful..your first suggestion had an issue with the -SYN command.
help plx!
 
Back
Top