Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Anyone know why Hitcounter is limited to 20?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Anyone know why Hitcounter is limited to 20?

NexusNexus Member
edited September 2012 in General

echo "If you hit me 20 times in 1 second, im about to drop you...."

iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP

I need it to be like 50 hits within 5 seconds.... (I've done tests on my site, this is where I need to be, but if I limit the 20 to like 25 it shows errors, I heard 20 is the max? The hell is going on?)

Anyone know how to bypass that? And yes I am using the limit module as well ;)

EDIT: FOUND SOLUTION:

Looking closer at the man page, it clearly says:

ip_pkt_list_tot=20: Number of packets per address remembered

Loading again the module with modprobe ipt_recent ip_pkt_list_tot=80
allows to increase the hitcount value.

I'm very sorry to have posted the bug in the first place.
JL

Sauce:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=526074



So do I need to ask my host again to increase the limit? lol, I feel like I AM NOT ON A VPS! :(

(Wait is that the difference between KMV VS OpenVZ? More freedom /access to the kernal?)

Comments

  • NickMNickM Member

    I don't know if the host would raise that limit for you. If you were on KVM, you'd be able to do it yourself.

  • NexusNexus Member
    edited September 2012

    If the host were to raise it, would it cause any security concerns?

    It's just that I've been doing tests on my site and found that if you refresh to fast with 20 hit, within 1 second, it'll time you out for 3-5seconds, or however long that firewall blocks that ip. I would assume 50 requests would be fine within 1 second. Would stop the noob http flood script's that are runing around (What I am using to test it). And then nginx will handle with a 503 if they continue to refresh, then I have a iptables limit

    iptables -N flood-chk

    iptables -A INPUT -p tcp --dport 80 --syn -j flood-chk
    iptables -A flood-chk -m limit --limit 1/sec --limit-burst 2 -j RETURN
    iptables -A flood-chk -j LOG --log-prefix "IPTABLES HTTP FLOOD-PACKET"
    iptables -A flood-chk -j DROP

    And.. I have deflate layer installed checking every 1minute for mini script kiddies. I know this isn't going to even help against a full out DDOS.. but I know it will help against small script kiddies for sure. (Hopefully...) Anyone got any more stuff to use?/Ideas,

    Thanks,

  • TazTaz Member

    I can't really imagine someone (a person or legit visitor) refreshing any site more that many time in <1 second.

  • NexusNexus Member
    edited September 2012

    @Taz_NinjaHawk Well that is to protect from http flood tool. I use nginx burst/limit for kids that leave the pages on refresh.... They piss me off.

    Edit:

    iptables -I INPUT -p tcp -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT

    iptables -I INPUT -p tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP

    Anyone can help me how to change this so it's NOT responding to HTTP Requests but just connections?

    Example, not 20 http requests within 1 second, but 20 connection attempts?

Sign In or Register to comment.