zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-05-17 09:57:23 +02:00
Code Issues Projects Releases Packages Wiki Activity
internetee-registry/doc/debian_build_doc.md
Priit Tark 85b4a7e190 Iptables syntax fix #2348
2015-06-18 13:11:55 +03:00

124 lines
4.7 KiB
Markdown
Raw Blame History

System build
------------
All systems should run on Debian 7 or newer,
however officially Debian 7 is supported and tested.
### Manual build
* Consider using [RBENV](https://github.com/sstephenson/rbenv)
* Compile requried [ruby version](https://github.com/internetee/registry/blob/master/.ruby-version)
* [Phusion passenger](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html)
* [Postgresql](http://www.postgresql.org/docs/)
Registry application is not tested with multi-threaded system (such as Puma) and
it's not officially supported. Please use multi-process system instead (Passenger, Unicorn, Mongrel)
Use Phusion Passenger [official debian packages](https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#install_on_debian_ubuntu) NB! Passenger runtime does not depend on ruby version, thus you can use multiple different ruby version apps with same passenger install.
We also recommend to investigate
[Passenger Optimization Guide](https://www.phusionpassenger.com/documentation/ServerOptimizationGuide.html) for proper configuration.
### For building gem libs
Please install following lib, otherwise your bundler install might not be successful.
sudo apt-get install libxml2-dev
### RBENV install
cd /home/registry
git clone https://github.com/sstephenson/rbenv.git /home/registry/.rbenv
git clone https://github.com/sstephenson/ruby-build.git /home/registry/.rbenv/plugins/ruby-build
### RBENV upgrade
cd .rbenv
git pull origin master
cd plugins/ruby-build
git pull origin master
### Firewall rate limit config
First increase the maximum possible value form 20 to 100 of the hitcount parameter.
ip_pkt_list_tot of the xt_recent kernel module.
This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains:
````
options xt_recent ip_pkt_list_tot=100
````
Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system.
#### Registrar, REPP, Restful-whois
````
#!/bin/bash
# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=60
# Max connections per IP
BLOCKCOUNT=100
# default action can be DROP or REJECT or something else.
DACTION="REJECT"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
````
#### Whois
````
#!/bin/bash
# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=60
# Max connections per IP
BLOCKCOUNT=100
# default action can be DROP or REJECT or something else.
DACTION="REJECT"
$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
````
#### EPP
Iptables hitcounter is updated by application.
````
#!/bin/bash
# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
IPT=/sbin/iptables
# Registrar handler
REGISTRAR_CODE="test"
# Max connection in seconds
SECONDS=60
# Max connections per IP
BLOCKCOUNT=100
# Source specification. Address can be either a network name, a hostname, a network IP address
# (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule
# is submitted to the kernel. Please note that specifying any name to be resolved with
# a remote query such as DNS is a really bad idea. The mask can be either a network mask or
# a plain number, specifying the number of 1's at the left side of the network mask.
# Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before
# the address specification inverts the sense of the address.
# The flag --src is an alias for this option. Multiple addresses can be specified,
# but this will expand to multiple rules (when adding with -A),
# or will cause multiple rules to be deleted (with -D).
REGISTRAR_HANDLE_SOURCE="x.x.x.x"
# default action can be DROP or REJECT or something else.
DACTION="REJECT"
$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 700 -s $REGISTRAR_HANDLE_SOURCE -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount ${BLOCKCOUNT} --seconds ${SECONDS} -j ${DACTION}
````
After adding iptable counters, please add correct permissions to proc files at path /proc/net/xt_recent
Example command:
````
sudo chown registry /proc/net/xt_recent/*
````
Reference in a new issue View git blame Copy permalink