Connection throttling POP3.
Matthew Schumacher
matt.s at aptalaska.net
Tue May 22 21:05:57 EDT 2007
David S. Madole wrote:
>> From Matthew Schumacher on Monday, May 21, 2007 6:35 PM
>>
>> I agree with Blake, while I can do it with IPtables it's not
>> a good solution.
>>
>> The first iptables suggestion blocked the offending IP, which
>> is fine, but also requires me to babysit the server. The
>> second suggestion would correctly limit connections, but if
>> I'm reading it right, would lump all connections together,
>> not just connections per originating IP address.
>
> If you are talking about the suggestion I made, which looked like this:
>
> iptables -A INPUT -p tcp --dport 22 \
> -m state --state NEW \
> -m recent --update --seconds 60 -j DROP
>
> iptables -A INPUT -p tcp --dport 22 \
> -m state --state NEW \
> -m recent --set -j ACCEPT
>
> then you did not read it right. It limits to one connection per IP address per minute. Each source address is kept track of in enforcing the limit. Using the --hitcount option in addition to the --seconds option, you can also create limits such as a maximum of four connections in two minutes, etc.
>
> David
>
This must be something that the recent module does. I'll do some
testing.... Thanks for the helpful suggestion, it looks very promising.
schu
More information about the Info-cyrus
mailing list