Can you share your switches you are using to call tcp server with this patch? Sounds nice and Would help with spam bombing as well.
-John ----- Original Message ----- From: "Devendra Singh" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 18, 2004 9:39 PM Subject: Re: [Qmail-scanner-general]qmail and iptables > > Check this Patch to ucspi-tcp. I have been using since many months. > http://linux.voyager.hr/ucspi-tcp/tcpserver-limits-2004-07-25.diff > > Earlier I was using tcpserver-limits-2004-01-24.diff but upgraded it to the > new version a few days back. > > I must say it's a wonderful patch to fight against Virus laden Bombing IPs. > Bravo, Matija Nalis for your wonderful patch. > > Devendra Singh > > ------------------ README.tcpserver-limits-patch -------------------- > 20040725 adds a sleep(1) before terminating (to prevent too high load from > many rapid fork()/exit() calls. It also changes the method for checking > system load to getloadavg(3) instead of parsing /proc/loadavg, therefore > making it working on *BSD and other non-Linux systems in addition to Linux. > It also adds DIEMSG="xxx" support. > > 20040327 fixes a bug in 20040124 related to MAXLOAD (it would not work > correctly when load was higher than 10.00) > > > This patch (20040725) makes tcpserver from DJB's ucspi-tcp-0.88 package (see > http://cr.yp.to/ucspi-tcp.html) to modify its behavior if some environment > variables are present. > > The variables can be preset before starting tcpserver (thus acting as > default for all connections), or, if you use 'tcpserver -x xxx.cdb', they > can be set (or overridden) from xxx.cdb. If none of the variables are set, > tcpserver behaves same as non patched version (except for negligible > performance loss). Any or all variables can be set, as soon as first limit > is reached the connection is dropped. I'd recommend using .cdb files > exclusively though, as you can then modify configuration without killing > tcpserver. > > The variables are: > > (1) MAXLOAD > maximum 1-minute load average * 100. For example, if you have line > :allow,MAXLOAD="350" > in your rules file from which you created .cdb, the connection will be > accepted only if load average is below 3.50 > For this variable to have effect, you have to have readable > '/proc/loadavg' with linux-2.4.x syntax (see the source) > > (2) MAXCONNIP > maximum connections from one IP address. tcpserver's -c flag defines > maximum number of allowed connections, but it can be abused if > just one host goes wild and eats all the connections - no other host > would be able to connect then. If you created your .cdb with: > :allow,MAXCONNIP="5" > and run tcpserver -c 50, then each IP address would be able to have at > most 5 concurrent connections, while there still could connect 50 > clients total > > (3) MAXCONNC > > maximum connections from whole C-class (256 addresses). Extension of > MAXCONNIP, as sometimes the problematic client has a whole farm of > client machines with different IP addresses instead of just one IP > address, and they all try to connect. It might have been more useful to > be able to specify CIDR block than C-class, but I've decided to KISS. > > for example tcpserver -c 200, and .cdb with: > :allow,MAXCONNC="15" > will allow at most 15 host from any x.y.z.0/24 address block, while > still allowing up to 200 total connections. > > (4) DIEMSG > > if set and one of the above limits is exceeded, this is the message > to be sent to client (CRLF is always added to the text) before terminating > connection. If unset, the connection simply terminates (after 1 sec delay) > if limit is exceeded. > > For example: > DIEMSG="421 example.com Service temporarily not available, closing > transmission channel" > > Notes: > > - if a connection is dropped due to some of those variables set, it will be > flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or > "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you > (eg. you have a strict log parsers), don't apply that chunk of the patch. > > - the idea for this patch came from my previous experience with xinetd, and > need to limit incoming bursts of virus/spam SMTP connections, since I was > running qmail-scanner to scan incoming and outgoing messages for viruses > and spam. > > When you make changes, please check that they work as expected. > > Examples (for tcprules created .cdb) > (a) 192.168.:allow,MAXLOAD="1000" > :allow,MAXCONNIP="3" > > this would allow any connection from your local LAN (192.168.*.* > addresses) if system load is less than 10.00. non-LAN connections would > be accepted only if clients from that IP address have not already opened > more than 2 connections (as your connection would be last allowed -- 3rd) > > (b) 192.168.:allow > 5.6.7.8:allow,MAXCONNIP="3" > 1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5" > :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable" > > if client connects from 192.168.*.* (ex: your LAN), it is allowed. > if it connects from 5.6.7.8 (ex: little abusive customer of yours), > it is allowed unless there are already 3active connections from 5.6.7.8 > to this service > if it connects from 1.2.*.* (ex: some problematic networks which caused > you grief in the past) it will connect only if load is less than 5.0, > there is less than 5 active connections from whole C class > (1.2.*.0/24), and if that specific IP address does not already have > connection open. > in all other cases, the client will be permitted to connect if load is > less than 10.00 and client has 2 or less connections open. If load is > higher than 10.00 or there are 3 or more connections open from this > client, the message "421 example.com unavailable" will be returned to > the client and connection terminated. > > > Any bugs introduced are my own, do not bother DJB with them. > If you find any, or have neat ideas, or better documentation, or whatever, > contact me. > > the latest version of the patch can be found at: > http://linux.voyager.hr/ucspi-tcp/ > > Enjoy, > Matija Nalis, > mnalis-tcpserver _at_ voyager.hr > ------------------ README.tcpserver-limits-patch -------------------------- > > ______________________________________________________ > Devendra Singh > IndiaMART InterMESH Limited > (Global Gateway to Indian Market Place) > B-1, Sector 8, Noida, UP - 201301, India > EPABX : +91-120-2424945, +91-120-3094634, +91-9810646342 > Fax: +91-120-2424943 > http://www.indiamart.com > http://www.indiangiftsportal.com > http://www.indiantravelportal.com > ______________________________________________________ > > > > ------------------------------------------------------- > SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media > 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 > Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. > http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 > _______________________________________________ > Qmail-scanner-general mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general > > ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
