sjh - mountain biking running linux vegan geek spice - mtb / vegan / running / linux / canberra / cycling / etc

Steven Hanley hackergotchi picture Steven
Hanley

About

email: sjh@svana.org

web: https://svana.org/sjh
twitter: https://twitter.com/sjhmtb
instagram: https://instagram.com/sjhmtb

Other online diaries:

Aaron Broughton,
Andrew Pollock,
Anthony Towns,
Chris Yeoh,
Martijn van Oosterhout,
Michael Davies,
Michael Still,
Tony Breeds,

Links:

Linux Weekly News,
XKCD,
Girl Genius,
Planet Linux Australia,
Bilbys,
CORC,

Canberra Weather: forecast, radar.

Subscribe: rss, rss2.0, atom

April
Mon Tue Wed Thu Fri Sat Sun
       
6
 

2011
Months
Apr

Categories:

Archive by month:

Wed, 06 Apr 2011

Connection limiting in Apache2 - 16:01
Yesterday I noticed a machine I look after had been getting some form of DOS or similar against it. There are iso images (700 MB files) on the server and there had been a few hundred thousand download requests from different ip addresses to it via the web server.

Looking at the logs it was interesting to note the User-Agent was identical for each request even though it was coming from so many different ip addresses. So I had the situation of needing to limit connections to a certain type of file or an area on disk via apache so as not to have resource starvation and no download blow outs.

Looking around for ways to do this in apache2 there was not a whole lot of options already implemented, some per ip connection limits in one module, some rate limiting in another module, but no way to limit connections to a given Directory, Vhost or Location immediately turned up. Fortunately a few different searches eventually turned up the libapache2-mod-bw package in Debian.

As it says in the package description

This module allows you to limit bandwidth usage on every virtual host
or directory or to restrict the number of simultaneous connections.
This was the solution it seemed, so I read the documentation in the text file in the package, enabled it on the server and got it working.

To get it working pay attention to the bit that says ExtendedStatus needs to be enabled before the LoadModule line. Then you can simply place it in a Directory section in your main config file for a given vhost.

I configured it with the following section

ForceBandWidthModule On
BandWidthModule On

<Directory "/on/disk/location">
	BandWidth "u:BLAHBLAH" 200
	BandWidth all 2000000
	MaxConnection "u:BLAHBLAH" 1
	MaxConnection all 10
</Directory>
Which says if the user agent has the string "BLAHBLAH" in it anywhere limit to 200 bytes per second and later 1 connection allowed from that user agent to this directory. I thought it worth while to put in a limit on all connections to the directory of 10 just in case the user agent changes and it will not starve the machine or max out the link.

Initially I had the limit of 10 without limiting the user agent more and the DOS was simply using up all 10 and thus no one else could connect to and download these items. Fortunately so far this seems to be working and I can monitor it for a few days to see the resultant behaviour of the attack.

Thanks to the module author this seems to work fairly well and was easier than writing a mechanism inside apache2 myself to limit the connections in the manner required.

[/comp/linux] link

Found in the oven - 11:14

Cupcakes and Bread (fullsize)
I was worried last week I may need to buy bread, I had not done that since early December. My wrist was sore enough from paddling that kneading bread dough seemed to make it worse. In the end I just made bread anyway and thus have still not bought any since December.

Last night I managed to pull the loaf of bread and 24 apple cupcakes pictured out of the oven, all of which is yummy and vegan friendly. I had already tucked into the bread by the time I took that photo.

[/leisure/food] link


home, email, rss, rss2.0, atom