Connection limit exceeded

P

patrickkasie

Verified User
Joined
Sep 21, 2021
Messages
241
Location
Een echte Hollander
Dear DirectAdmin forum,

We have an API on a website that uses an excessive amount of connections. The limit for CT_LIMIT = 20. However, because this IP address would get blocked/blacklisted from time to time, I had to put it in the /etc/csf/csf.allow file in order for it to no longer be blacklisted. I don't want to increase the limit for this IP address, I would like to limit its connections through other means so it won't hog the resources on the server.

Code: 
Connection counts:
      1 111.108.22.64
      1 14.10.134.160
      1 143.110.213.54
      1 153.246.131.250
      1 157.55.39.61
      1 17.241.75.151
      1 17.241.75.216
      1 17.246.19.148
      1 176.145.198.120
      1 223.17.134.133
      1 45.201.229.242
      1 45.94.31.47
      1 54.226.0.140
      1 66.249.74.69
      1 77.240.183.231
      1 77.95.98.84
      1 84.104.100.28
      1 84.243.253.203
      1 85.208.98.16
      1 92.66.73.176
      1 95.108.213.106
      2 119.25.13.246
      2 125.202.108.75
      2 126.51.231.131
      2 138.197.26.31
      2 144.91.106.14
      2 185.6.6.50
      2 192.168.1.102
      2 212.181.223.40
      2 2a02
      2 5.88.236.6
      2 85.208.98.19
      2 85.208.98.29
      2 87.95.223.88
      3 179.43.159.200
      3 185.220.101.37
      3 2001
      3 219.75.73.27
      3 44.230.252.91
      3 52.167.144.140
      3 58.29.250.44
      3 62.83.209.66
      3 92.66.139.169
      3 94.211.167.127
      3 95.108.213.225
      4 120.253.227.22
      4 85.208.98.20
      5 5.40.103.162
      7 133.6.56.33
      8 31.134.203.187
      9 127.0.0.1
     24 2a01
   1012 188.166.201.130

DirectAdmin, CSF, CentOS7
 
20 is too low, I suggest around 50-100 value.

if you set more than 80, you need to tuning "CT_INTERVAL" between 10-30 second.

CT_PERMANANT=0 #do not turn on this unless you got real attack.
CT_BLOCK_TIME=3600 # I suggest this value between 3600-86400
 
The problem is, we need that IP address to be able to connect to us. We just don't want it to use that many connections. It doesn't matter how long it needs to do what it needs to do, just that it can not use any more than 20 connections at a time, but if I were to use your setting, it would blacklist the IP address.
 
Ahh, ok
other setting might be this

CONNLIMIT = "80;20,443;20"

this shoudn't get blocked, but just limit connection.

then put CT_LIMIT to 50 to prevent global spamming ( real ddos ).
 
I've asked ChatGPT what the CONNLIMIT will do if the number of connections are exceeded. I'd like to double check with the forum, this is what ChatGPT says:
These connection limits help control the number of simultaneous connections to specific ports on your server. If an IP address exceeds the defined connection limit for a particular port, CSF may take action, such as temporarily blocking or permanently blocking that IP address, depending on your CSF configuration.
Click to expand...
This implies that the IP address would be blocked rather than limited by the number of connections. Are you very sure? The reason I can't just implement this is because the connections from this IP address happen infrequently, without a way for me to change the frequency, and it may take a few days before we can realise this IP address is blocked because of its irregularity. Also, how do I know if the ports used to connect to are ports 80 or 443?
 
Stop ask chatGPT, go read document directly from csf firewall.

there have 2 option similar this,

CONNLIMIT and PORTFLOOD.

PORTFLOOD can temp block to port that you config.
CONNLIMIT will not get new connection until release old connnect, it just drop new connection.
 
Asking ChatGPT is like being caught with your pants down these days. I'm glad you've clarified CONNLIMIT for me, thank you!
The 300 limit is too high with the purposes of some sites, 100 would be better here for my case.

Richard G said:
That's in fact the wrong one.
You should use the csf.ignore file for those. Otherwise those ip's can even access closed ports.
Click to expand...
That's good to know, so it can still go by the rules if I understand this correctly?

After putting the IP address in the csf.ignore file, restarting CSF+LFD and letting it run for a while, I still have 200+ connections from that IP address on port 443, despite having the following rules:
CT_LIMIT = "100"
CONNLIMIT = "80;50,443;50"
PORTFLOOD = ""
I don't want the server to block any IP address for the purpose of testing how it works exactly, but I do want it to drop connections. The IP address connects only to port 443. Before I've put the IP address on the csf.ignore file, it had received 4 temp blocks before being perma blocked due to having so many connections. That's why I wanted it on the csf.allow file, but that is too lenient as pointed out by @Richard G, so csf.ignore file it is. And now it's taking up the same number of connections just like it did before, without dropping the new connections. What do I do?
Edit:
netstat -tanp | grep IPaddress | wc -l
206
 
Last edited:
try check "xt_connlimit" iptables module by
Code: 
/etc/csf/csftest.pl

if missing this module, connlimit doesn't work.


Let include a little docs to this threads.
20. Connection Limit Protection
###############################

This option configures iptables to offer protection from DOS attacks against
specific ports. It can also be used as a way to simply limit resource usage by
IP address to specific server services. This option limits the number of new
concurrent connections per IP address that can be made to specific ports.

This feature does not work on servers that do not have the iptables module
xt_connlimit loaded. Typically, this will be with Monolithic kernels. VPS
server admins should check with their VPS host provider that the iptables
module is included.

Also, although included in some older versions or RedHat/CentOS, it was only
actually available from v5.3+

The protection can only be applied to the TCP protocol.

Syntax for the CONNLIMIT setting:

CONNLIMIT is a comma separated list of:
port;limit

So, a setting of CONNLIMIT = "22;5,80;20" means:

1. Only allow up to 5 concurrent new connections to port 22 per IP address

2. Only allow up to 20 concurrent new connections to port 80 per IP address

Note: Existing connections are not included in the count, only new SYN packets,
i.e. new connections

Note: Run /etc/csf/csftest.pl to check whether this option will function on the
server
Click to expand...
 
Code: 
/etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server
 
maybe,,, he connect via "http" protocol, then your website automatics redirect to "https", this will count as 2 connection, it could reach to CT_LIMIT.


Could you check this again
Code: 
iptables -L CONNLIMIT -nvx
netstat -anp | grep ESTABLISHED | grep IPAddress | wc -l
 
Code: 
# iptables -L CONNLIMIT -nvx
Chain CONNLIMIT (2 references)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
# netstat -anp | grep ESTABLISHED | grep IPaddress | wc -l
10
# netstat -tanp | grep IPaddress | wc -l
2043
What does it mean to have such a big difference in ESTABLISHED connections vs everything else? All other connections are TIME_WAIT
 
ok, look like you have many TIME_WAIT,


TIME_WAIT meant client already closed connection but there have some cleanup on Application side like in webserver ,FTP ..etc...
CONNLIMIT only count new connection without counting TIME_WAIT.

maybe trying put this " CT_SKIP_TIME_WAIT=1 ", to debugging and see result.
 
You must log in or register to reply here.
Back
Top