Portal Home > Knowledgebase > Articles Database > How to limit connections per IP based on domain + string
How to limit connections per IP based on domain + string
| Posted by chasebug, 10-25-2009, 05:39 AM |
| I need to do this:
(1) domain1.com limit to 10 connections per IP per 30 seconds but allow if accessing file beginning with x.php such as x.php?981 x.php?o19
(2) domain2.com limit to 10 connections per IP per 30 seconds only if accessing file beginning with x.php but allow if accessing file beginning with y.php y.php?981 y.php?o19
Found 2 articles that helps somewhat but not exactly what I am looking for:
http://www.debian-administration.org/articles/187
http://wiztelsys.com/Article_iptables_bob2.html
|
| Posted by eth00, 10-25-2009, 12:21 PM |
| http://dominia.org/djao/limitipconn.html
Limitipconn can do it based on the vhost, if nothing else you could put different files on different subdomains as a quick way of doing it. You could use redirects to handle this.
|
| Posted by jon-f, 10-25-2009, 07:22 PM |
| You can do this with iptables string and limit matches.
http://www.cyberciti.biz/tips/howto-...n-attacks.html - on using limit for syn attacks
http://netfilter.org/documentation/H...s-HOWTO-3.html - on using limit and string
http://wiztelsys.com/Article_iptables_bob2.html - on string match
You would have to have an overall chain probably starting with a deny and then allowing access per string or whatever.
here is example of string match rule for deny.
iptables -I INPUT -j DROP -p tcp -m string --algo bm --string "CLR 1.1.4322"
You couldnt use string and limit in the same rule I dont think so it would have to be some chain. This can be done though. You should be able to come up with your ruleset using examples of both matches
|
| Posted by khunj, 10-26-2009, 04:19 AM |
| If you are using Apache, you can easily do it with mod_security.
|
| Posted by jon-f, 10-26-2009, 05:23 AM |
| really, think about what you just said. Look at his post, what he asked and just give us even a faint idea of how you would do that.
The only way it is possible is using string and limit match iptables chains.
Example of a chain
So Op would have to have something like:
iptables -I INPUT -j ACCEPT -p tcp -m string --algo bm --string "x.php?9"
Then set the limit before or after that, I am not sure. But it can be done with limit, string and/or recent match.
Not meaning to be a smartalleck khunj but mod security doesnt do that. No apache module would do what he is talking about to my knowledge.
|
| Posted by khunj, 10-26-2009, 09:52 AM |
| Not only mod_security does that, but, unlike iptables, that's its job and it will do it much better.
1) iptables :
- using limit : the OP wants to rate limit an IP with more than 10 hits/30s. The limit module cannot do that as it doesn't keep track of IP but limit anyone and, as usual, will also reject legitimate visitors.
- using string : string is a very interesting module, but here, your rule will not only process any packet (what is the point of filtering SYN, RST, FIN etc segments ?), regardless of their size (up to 64Kb, ouch...). And of course, if the GET request is splitted in 2 different packets (that's the way the TCP protocol works), iptables will miss it.
2) mod_security : as said abose, that's its job
Not to mention that the last line should be replaced with "drop,nolog" in a production server otherwise logs might get quickly flooded
|
| Posted by jon-f, 10-26-2009, 07:15 PM |
| I guess I stand corrected then. I apologize, I did not know mod security had limiting features. Anyway, at least I guess the Op has some examples to go by
|
| Posted by chasebug, 10-27-2009, 01:51 PM |
| Thanks.
Does this work for the 1st condition or the 2nd condition?
Can you post the rules for the 2nd condition for me?
Appreciate it.
|
| Posted by ThanhBT, 02-11-2011, 12:40 PM |
| Thanks khunj!
I have domain abc.net and file Login.aspx and use apache to load balancer. Now i want to limit connections to only Login.aspx file. I use your code
# abc.net :
# Chi filter rieng cho abc.net :
SecRule REQUEST_HEADERS:Host "!www\.abc\.net" "skip:5,nolog"
# theo doi IP :
#SecAction "initcol:ip=%{REMOTE_ADDR},nolog"
# Giam so luot hit (Giam di -100 hit sau moi 30s) :
#SecAction "deprecatevar:ip.maxlimit=100/30,nolog"
# Tiep tuc 3 rules neu ket noi toi file Login.aspx :
#SecRule REQUEST_URI "Login\.aspx" "skip:2,nolog"
# Tang gia tri len :
#SecAction "nolog,setvar:ip.maxlimit=+1"
# Neu so connection dat muc gioi han, drop luon :
#SecRule IP:MAXLIMIT "@gt 10" "drop, log, msg:'dropping %{REMOTE_ADDR} (%{ip.maxlimit} connection DDOS)'"
Is this correct? Thanks a lot.
Sorry for my english.
|
Add to Favourites 
Print this Article
Also Read
Codero Outage (Views: 869)