Limit Number of Connections from an IP
avatar

Posted on August 5, 2011 by

One of the problems you can sometimes face with a website is people mirroring your site or search bots excessively connecting to you.  This is very easy to fix by limiting the number of connections an IP address is allowed to make.

To do this you just need to install the mod_limitipconn Apache module.  If you are using Fedora or CentOS you can easily install this module through yum:

yum install mod_limitipconn

Once it is installed it is very easy to config.  You need to add the following line to your httpd.conf file:

LoadModule limitipconn_module modules/mod_limitipconn.so

Then you just need to add in the settings for the module.  I have included some samples below:

<IfModule mod_limitipconn.c>
<Location />
MaxConnPerIP 3
NoIPLimit image/*
NoIPLimit application/javascript
</Location>
<Location /phpmyadmin/*>
NoIPLimit *
</Location>
</IfModule>

The above settings consist of two parts, the location and then the settings for that location.  What is really nice is you can say certain folders are allowed more connections then others.  This is very important now that most browsers use multiple threads to download a single page.  This means that for a normal person to connect and view your website the browser may establish multiple connections.

In the above example you will see that I set the location to “/” (which means the entire site), then I say there is a MaxConnPerIP of 3, so I only want a max of three connections at a time from a single IP.  The next thing you will see is NoIPLimit image/* and NoIPLimit application/javascript.  Without these two settings multiple thread browser have a lot of problems loading pages since they often open up a connection for each of these content types plus one for the regular text on the site.  The other thing to keep in mind when doing this is that NoIPLimit is looking for a MIME type and not a path.

Now the other thing you may want to do is set section of the website where there will be no limit at all.  This is done again by setting the location (the example I used was phpmyadmin) and then saying NoIPLimit on any file type.

Posted in Apache, CentOS, Fedora | Tagged , , , | Leave a comment

Stopping DOS Attacks with Mod_Evasive
avatar

Posted on August 4, 2011 by

DOS attacks are becoming very common these days.  There are many different levels of DOS attack and monitoring your system and trying to prevent them all can be a full-time job.  However for the causal user you can easily add some basic DOS protection without much effort, especially if you are using Fedora or CentOS.

Fedora and CentOS both have mod_evasive in their main repositories so to install this you just need to run:

yum install mod_evasive

This mod comes basically ready to run without any modification.  I like to make a couple of changes to the settings so I can receive notices when a block is taking place.  To do this you just need to go to your apache conf.d directory and edit the mod_evasive.conf file.  To recieve email notifications when someone is blocked just enter your email address in the field DOSEmailNotify.  All of the other settings are fine the way they are.

Posted in Apache, CentOS, Fedora, Guides | Tagged , | Leave a comment

Easily Upgrade Fedora
avatar

Posted on August 2, 2011 by

One of the downsides to using Fedora is that every six months there is another major release.  This can be annoying to keep up with but luckily Fedora has made it easy with the preupgrade command.

All you need to do is type in preupgrade at the command line interface and you will have a program pop-up on the screen which will upgrade your entire system automatically.

Posted in Fedora | Leave a comment

Clean-up Pacman
avatar

Posted on August 2, 2011 by

In Arch when ever you install a package it is downloaded to your system. This make perfect sense because how else are you going to install it… What most people don’t realize is that those packages stay on the system forever unless you purge them.

This can be nice sometimes, especially if you want to re-install a package which you previously removed.

Purging your packages once in a while will free up a lot of free space on your machine and it will help to keep your system clean. To purge the copies pacman keeps just run the following command and say yes to both questions:

pacman -Sc

Posted in Arch | Tagged , , | Leave a comment

Apache’s Built in Server-Status Screen
avatar

Posted on August 1, 2011 by

Apache has a built in server-status screen.  This gives you a run down of what is going on with your apache server.  This can be very useful but it can also be dangerous if the wrong person was able to view it.  As long as you setup this ability correctly you can limit who can view the page.

The first thing to do is to make sure mod_status is enable on your server.  To do this you need to edit your httpd.conf file and make sure you have the following line:

LoadModule status_module modules/mod_status.so

The next thing you need to do is add the configuration to turn on the module, you can add this to your httpd.conf file or by going into your conf.d directory and added a file there with a .conf extention:

<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>

This will allow you to only access the Apache server-status page by going to “http://<url or ip of your server>/server-status”.  Leaving the settings the way they are above you would only be able to view the server-status page on the machine itself.  If you wanted you could add in another IP address by either changing the Allow line or adding a second one like the example below.

<Location /server-status>
SetHandler server-status
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1.2
</Location>

Posted in Apache, Guides | Leave a comment