From owner-freebsd-questions Tue Feb 6 0:18:52 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rapier.smartspace.co.za (rapier.smartspace.co.za [66.8.25.34]) by hub.freebsd.org (Postfix) with SMTP id 7D25037B401 for ; Tue, 6 Feb 2001 00:18:31 -0800 (PST) Received: (qmail 52401 invoked by uid 1001); 6 Feb 2001 08:18:15 -0000 Date: Tue, 6 Feb 2001 10:18:15 +0200 From: Neil Blakey-Milner To: Lucas Bergman Cc: Richard Ward , freebsd-questions@freebsd.org Subject: Re: Limiting connections w/ ftpd Message-ID: <20010206101815.A52096@rapier.smartspace.co.za> References: <009d01c08f3d$f7a77de0$0101a8c0@pavilion> <20010205084218.A19317@billygoat.slb.to> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010205084218.A19317@billygoat.slb.to>; from lucas@slb.to on Mon, Feb 05, 2001 at 08:42:18AM -0600 Organization: Building Intelligence X-Operating-System: FreeBSD 4.2-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon 2001-02-05 (08:42), Lucas Bergman wrote: > > I've been recently getting flooded with connections via ftp, and I > > was wondering how to limit ftp connections per IP address to stop > > "connection floods" from a single host name. I can't find much > > documentation on the standard FreeBSD "ftpd" that explains how this > > would be done. > > ftpd doesn't know how many simultaneous connections are being made, > since each ftpd only handles one connection; inetd handles the > starting of multiple daemons. Stock inetd does not have a facility > for concurrency limits. You'll have to use /TCP Wrappers/ or > /ucspi-tcp/; they're both in ports. I've used /ucspi-tcp/ with good > results. While ucspi-tcp is often my preferred solution, you're wrong about FreeBSD's inetd; it can do concurrency and time-based limits. From the inetd man page: -c maximum Specify the default maximum number of simultaneous invocations of each service; the default is unlimited. May be overridden on a per-service basis with the "max-child" parameter. -C rate Specify the default maximum number of times a service can be in- voked from a single IP address in one minute; the default is un- limited. May be overridden on a per-service basis with the "max- connections-per-ip-per-minute" parameter. -R rate Specify the maximum number of times a service can be invoked in one minute; the default is 256. A rate of 0 allows an unlimited number of invocations. and... The maximum number of outstanding child processes (or ``threads'') for a ``nowait'' service may be explicitly specified by appending a ``/'' fol- lowed by the number to the ``nowait'' keyword. and... You can also specify the maximum number of connections per minute for a given IP address by appending a ``/'' followed by the number to the maximum number of outstanding child processes. Once the maximum is reached, further connections from this IP address will be dropped un- til the end of the minute. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message