On Thu, Aug 01, 2013 at 10:49:59PM -0700, Grant wrote: > Do you do this only when under DoS attack or all the time? All the time. > Won't you potentially prevent legitimate users from making a single > connection if they're connecting with a shared IP from a university > campus (for example)? Yes. However, if you don't do it you potentially prevent legitimate users from anywhere from making a connection because some greedy user is using up all your server's resources. > How is this accomplished with iptables? With connlimit and/or one of the rate-limiting modules. Just to bring it back on topic, the disadvantage of implementing this at the firewall is that it is very broad-brush (unless you use DPI). You will be limiting connections regardless of the target vhost or path or MIME type or whatever. By doing it in apache with mod_limitipconn or similar you can easily apply stricter limits to heavier content, for example. So, IMHO the best plan is to put an absolute limit in the firewall for the worst possible scenario but then tailor the individual limits for vhosts and content types etc. within apache. Pete -- Openstrike - improving business through open source http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Attachment:
pgpYHcmO1FVZu.pgp
Description: PGP signature
|