FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 07-17-2008, 01:00 PM
"Jimmy Snell"
 
Default Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working

Hi,

Thank you for your replies, Mumia and Markus.

Yes, I have tested today and found that while the attacking IP get a
"HTTP 503" error, another IP can visit my site normally. This is just
how mod_limitipconn is working.

Before this, I thought the limitipconn module would totally prevent
the DoS attacker from connecting to TCP 80 port.

BTW, I am not sure how Apache and its DSOs work internally. But I
wonder whether there is a way to achieve the result I expected (refuse
new HTTP connections from the the attacker's IP)? If it
cannot done inside Apache or its DSOs, maybe it can be done by adding
a rule to the system iptables?


> Message: 5
> Date: Wed, 16 Jul 2008 06:45:19 -0500
> From: "Mumia W." <paduille.4062.mumia.w+nospam@earthlink.net>
> Subject: Re: Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working?
> To: "Ubuntu user technical support, not for general discussions"
> <ubuntu-users@lists.ubuntu.com>
> Message-ID: <487DDF4F.2000408@earthlink.net>
> Content-Type: text/plain; charset=us-ascii; format=flowed
>
> Perhaps it is working. Maybe 999,997 of those connections received HTTP
> 503 errors. AFAIK, the returning of an error page doesn't break the
> TCP/IP connection. You could configure Apache to immediately close
> connections after the first request, but that might negatively affect
> performance for people who are not going above the connection limit.
>
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 16 Jul 2008 14:33:19 +0200
> From: Markus Sch?nhaber <ubuntu-users@list-post.mks-mail.de>
> Subject: Re: Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working?
> To: ubuntu-users@lists.ubuntu.com
> Message-ID: <487DEA8F.1050200@list-post.mks-mail.de>
> Content-Type: text/plain; charset=UTF-8
>

> Although probably not really a problem: why don't you use the
> configuration layout the package uses? I. e. create
> /etc/apache2/mods-available/limitipconn.load
> /etc/apache2/mods-available/limitipconn.conf
> and create symlinks in
> /etc/apache2/mods-enabled
> to actually activate the module.

Yes, I have already changed to this style.

>> However, then I tried to test whether this module was working.
>> I used the "ab" command to test from my machine:
>> ab -n 1000000 -c 100 http://www.myhost.com
>
> Are you the owner of www.myhost.com? If not, please use a domain name
> like "example.com" which is reserved for use in documentation.

I am sorry. I will mention it as example.com in the future. Thank you.

>
> As Mumia already said, this doesn't necessarily mean that the module
> isn't working. mod_limitipconn doesn't make HTTP connections to your
> server impossible (if over the limit) but makes sure that those
> excessive connections are only used to return an error page - which is,
> of course, done using an HTTP connection.
>
> You should rather take a look at your server's log files. AFAIU
> mod_limitipconn will log rejected (i. e. answered with an error message)
> connection attempts.
>
> Additionally, you could use
> apache2ctl -M
> to see if mod_limitipconn and mod_status are indeed loaded by the server
> and the config syntax is OK.

There is limitipconn module.

Yes, it is working. Thank you for your help! :-)

--
Yours Truly,
James Z. Snell

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-17-2008, 01:17 PM
Markus Schönhaber
 
Default Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working

Jimmy Snell wrote:

> BTW, I am not sure how Apache and its DSOs work internally. But I
> wonder whether there is a way to achieve the result I expected (refuse
> new HTTP connections from the the attacker's IP)? If it
> cannot done inside Apache or its DSOs, maybe it can be done by adding
> a rule to the system iptables?

I don't know of a way using only the means of httpd, but yes, it can be
done using netfilter's limit match. For an explanation see, for example,
here:
http://iptables-tutorial.frozentux.net/chunkyhtml/x2702.html#LIMITMATCH

Regards
mks

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 07-23-2008, 01:38 PM
"Jimmy Snell"
 
Default Why is mod_limitipconn-0.23 in Ubuntu 8.04 not working

Dear Markus,

On Thu, Jul 17, 2008 at 9:17 PM, Markus Schönhaber
<ubuntu-users@list-post.mks-mail.de> wrote:
> Jimmy Snell wrote:
>
>> BTW, I am not sure how Apache and its DSOs work internally. But I
>> wonder whether there is a way to achieve the result I expected (refuse
>> new HTTP connections from the the attacker's IP)? If it
>> cannot done inside Apache or its DSOs, maybe it can be done by adding
>> a rule to the system iptables?
>
> I don't know of a way using only the means of httpd, but yes, it can be
> done using netfilter's limit match. For an explanation see, for example,
> here:
> http://iptables-tutorial.frozentux.net/chunkyhtml/x2702.html#LIMITMATCH

Thank you for your reply.

I have checked this tutorial, and it seems that it cannot perform a
limitation on a per-IP basis.

BTW, I found another apache module to cope with DDoS -
libapache2-mod-evasive, which has already been made as a package for
Hardy. I have tried this module out, however, I found it seems not
very useful when working together with limitipconn module.

I asked this question in the mailing list because I could not find an
effective way to prevent a DDoS attack to my website. So, any
solutions tested by experienced webmasters is very appreciated.

Thanks.

-
Jimmy

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 12:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org