Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Safeguarding against to many established connections (http://www.linux-archive.org/fedora-directory/441581-safeguarding-against-many-established-connections.html)

Angel Bosch Mora 10-19-2010 10:28 AM

Safeguarding against to many established connections
 
----- Missatge original -----
> On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
> > Hi We have recently seen an issue were a single client opened up
> > more than 800 established connections to our directory server. The
> > client did have the proper settings configured and should have
> > closed connections but it did'nt. Is there a way to limit the amount
> > of connections per client or close connections from the server side
> > after a certain period? Without just making the amount of
> > connections ridicuosly high on the directory server how can you
> > safeguard against rogue clients.
> >
> > Our client setting is as follows:
> > idle_timelimit 5
> > timelimit 10
> > bind_timelimit 5
> >
> > We were unable to log into client and it had file system issues so
> > we could not do any further analyses there.
> >
> > I suspect that solutions to this problem probably falls outside of
> > what can be configured in 389?
>
> While it's not a 389-specific suggestion, iptables could easily solve
> this problem for you across the board. :)
>

there's also a setting to close idle connections after X seconds. is somewhere in the 389 console, i can't remember now exactly.


abosch
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 10-19-2010 10:32 AM

Safeguarding against to many established connections
 
>________________________________________
>From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Angel Bosch Mora [angbosch@conselldemallorca.net]
>Sent: 19 October 2010 11:28
>To: General discussion list for the 389 Directory server project.
>Subject: Re: [389-users] Safeguarding against to many established connections
>
>----- Missatge original -----
>> On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
>> > Hi We have recently seen an issue were a single client opened up
>> > more than 800 established connections to our directory server. The
>> > client did have the proper settings configured and should have
>> > closed connections but it did'nt. Is there a way to limit the amount
>> > of connections per client or close connections from the server side
>> > after a certain period? Without just making the amount of
>> > connections ridicuosly high on the directory server how can you
>> > safeguard against rogue clients.
>> >
>> > Our client setting is as follows:
>> > idle_timelimit 5
>> > timelimit 10
>> > bind_timelimit 5
>> >
>> > We were unable to log into client and it had file system issues so
>> > we could not do any further analyses there.
>> >
>> > I suspect that solutions to this problem probably falls outside of
v> > what can be configured in 389?
>>
>> While it's not a 389-specific suggestion, iptables could easily solve
>> this problem for you across the board. :)
>>
>
>there's also a setting to close idle connections after X seconds. is somewhere in the 389 console, i can't remember now exactly.
>>

Thanks! I little bit more searching have revealed the following settings which I would like to try:

3.1.1.85. nsslapd-outbound-ldap-io-timeout
This attribute limits the I/O wait time for all outbound LDAP connections. The default is 300000 milliseconds (5 minutes). A value of 0 means that the server does not impose a limit on I/O wait time.

4.5.2.8. nsConnectionLife
This attribute specifies connection lifetime. Connections between the database link and the remote server can be kept open for an unspecified time or closed after a specific period of time. It is faster to keep the connections open, but it uses more resources. When the value is 0 and a list of failover servers is provided in the nsFarmServerURL attribute, the main server is never contacted after failover to the alternate server.

4.5.2.9. nsOperationConnectionsLimit
This attribute shows the maximum number of LDAP connections the database link establishes with the remote server.


What is not perfectly clear to me though is does this apply to all connections other masters, consumers and clients?

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 10-19-2010 10:34 AM

Safeguarding against to many established connections
 
>________________________________________
>From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users@witbe.net]
>Sent: 19 October 2010 11:16
>To: 389-users@lists.fedoraproject.org
>Subject: Re: [389-users] Safeguarding against to many established connections
>
>On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
>> Hi
>> We have recently seen an issue were a single client opened up more than 800 established connections to our directory server. The client did have the proper settings configured and should have closed >connections but it did'nt. Is there a way to limit the amount of connections per client or close connections from the server side after a certain period? Without just making the amount of connections ridicuosly >high on the directory server how can you safeguard against rogue clients.
>>
>> Our client setting is as follows:
>> idle_timelimit 5
>> timelimit 10
>> bind_timelimit 5
>>
>> We were unable to log into client and it had file system issues so we could not do any further analyses there.
>>
>> I suspect that solutions to this problem probably falls outside of what can be configured in 389?
>
>While it's not a 389-specific suggestion, iptables could easily solve
>this problem for you across the board. :)
>

I would be keen on such a solution but from a company point of view it is "non-standard" so I would need to do a bit of convincing and/arm twisting.

Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 10-19-2010 10:36 AM

Safeguarding against to many established connections
 
>>
>> I suspect that solutions to this problem probably falls outside of what can be configured in 389?
>
>While it's not a 389-specific suggestion, iptables could easily solve
>this problem for you across the board. :)

Do you have thoughts on criteria for iptables... how do you differentiate between 800 healthy connections and 800 duff ones if both have an ESTABLISHED state? Do you just assume it will never be that much and limit accordingly or do you do time limit to say that connections should never be maintained longer than x minutes and require clients to re-establish connections?

Regards


__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Andrey Ivanov 10-19-2010 10:47 AM

Safeguarding against to many established connections
 
Hi,

you may be interested in the following threads with some solutions :

http://lists.fedoraproject.org/pipermail/389-users/2010-September/012149.html


http://lists.fedoraproject.org/pipermail/389-users/2009-February/009062.html

@+

2010/10/19 Gerrard Geldenhuis <Gerrard.Geldenhuis@betfair.com>


>>

>> I suspect that solutions to this problem probably falls outside of what can be configured in 389?

>

>While it's not a 389-specific suggestion, iptables could easily solve

>this problem for you across the board. :)



Do you have thoughts on criteria for iptables... how do you differentiate between 800 healthy connections and 800 duff ones if both have an ESTABLISHED state? Do you just assume it will never be that much and limit accordingly or do you do time limit to say that connections should never be maintained longer than x minutes and require clients to re-establish connections?





Regards





__________________________________________________ ______________________

In order to protect our email recipients, Betfair Group use SkyScan from

MessageLabs to scan all Incoming and Outgoing mail for viruses.



__________________________________________________ ______________________

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 06:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.