From 047e9849808934423322a90560647474f184e30b Mon Sep 17 00:00:00 2001 From: Priit Tark Date: Wed, 20 May 2015 18:40:09 +0300 Subject: [PATCH] Added rate limit config and script --- CHANGELOG.md | 4 +++ doc/debian_build_doc.md | 77 ++++++++++++++++++++++++++++++----------- 2 files changed, 61 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 99a486683..55311ed1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +20.05.2015 + +* Added documentation how to configure linux firewall about rate limits, scirpts and more info at doc/debian_build_doc.md + 19.05.2015 * Added possibility to define NewRelic app_name at application.yml file with 'new_relic_app_name' attribute. diff --git a/doc/debian_build_doc.md b/doc/debian_build_doc.md index c05814d0e..e2e604d92 100644 --- a/doc/debian_build_doc.md +++ b/doc/debian_build_doc.md @@ -40,28 +40,65 @@ Please install following lib, otherwise your bundler install might not be succes git pull origin master -### Using babushka autoscripts +### Firewall rate limit config -Alternatively you can build servers up using scripts such as babushka. +First increase the maximum possible value for the hitcount parameter +from its default value of 20 by setting the option +ip_pkt_list_tot of the xt_recent kernel module. +This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains: -You can use or find ideas how to build up production servers using -sysadmin tool [Babushka](https://github.com/benhoskings/babushka). +```` +options xt_recent ip_pkt_list_tot=100 +```` -Unofficial build scripts locate at: https://github.com/priit/babushka-deps -Those scripts are not dedicated to Registry, but more focuse on general -Ruby on Rails application deployment in various situatians. -Please fork and customize dedicated to your system. - -Quick overview, how to use it. -Use 'registry' for username and app name when asked. - - # on server side - apt-get install curl - sh -c "`curl https://babushka.me/up`" - babushka priit:app_user - babushka priit:app - -Please inspect those scripts before running anything, -they might not be complete or might have serious bugs. You are free to fork it. +Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system. +#### Registrar, REPP, Restful-whois + +```` +#!/bin/bash +# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ +IPT=/sbin/iptables +# Max connection in seconds +SECONDS=60 +# Max connections per IP +BLOCKCOUNT=100 +# default action can be DROP or REJECT +DACTION="REJECT" +$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set +$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +```` + +#### EPP + +```` +#!/bin/bash +# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ +IPT=/sbin/iptables +# Max connection in seconds +SECONDS=60 +# Max connections per IP +BLOCKCOUNT=100 +# default action can be DROP or REJECT +DACTION="REJECT" +$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set +$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +```` + +#### Whois + +```` +#!/bin/bash +# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/ +IPT=/sbin/iptables +# Max connection in seconds +SECONDS=60 +# Max connections per IP +BLOCKCOUNT=100 +# default action can be DROP or REJECT +DACTION="REJECT" +$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set +$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} +```` +