View Single Post
  #7   (View Single Post)  
Old 14th April 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Quote:
this is more useful to restrict ssh access...
For a webserver, it is quite annoying.
Some webservers such as the Hiawatha webserver actually have these options builtin, (ConnectionsTotal, ConnectionsPerIP, BanOnFlooding, BanOnMaxPerIP options).

In the pf.conf for this forums I have:
Quote:
source-track max-src-conn 50 max-src-conn-rate 200/10
For a time I monitored the overload table I used to see how often this limit was reached: Almost never, and when it was reached it was almost always by a bot, either a legitimate bot (i.e. google) or a bot of unclear origin and doubtful legitimacy.
I solved the problem by making a table with known bot addresses (Taken from iplists.com) which are exempted from this rule.

Why use max-src-conn and max-src-conn-rate? It prevent (D)DoS attacks.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote