Recently, I encountered a server with intermittent connection problems. looking in /var/log/messages, I found scrolling lines of the following message:
ip_conntrack: table full, dropping packet
A quick google search revealed that the server keeps track of connections through a kernel module called ‘ip_conntrack’. Basically, this module keeps track of the number of connections and if there are too many, starts droppong connection attempts afterwards. If you manage to get onto the console of your box. You can check to see if the table is full by running the following:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
Next check to see what the maximum number of connections is set to by running the following:
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. So looking at this example, we only have 512M of memory. To fix this issue, you merely have to raise the limit. You can raise the limit with the following command:
# sysctl net.ipv4.netfilter.ip_conntrack_max=65535
Of course, if you reboot the system, the max will be reset to what you had it. In order to make it permanent you will need to add it to /etc/sysctl.conf.
No Comments »
If you are using SSH then you will sooner or later notice someone trying to hack into your box using dictionary attacks. You can use the iptables module recent to limit a minimum time between new connections from the same IP.
To make this work, you should have this commonly used rule (this allows previously established connections and is a normal rule in most firewalls):
iptables -A INPUT -j ACCEPT -p tcp ! –syn -s 0/0 -d (outer ip/net)
Now, to set the limit
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –update –seconds 15 -j DROP
iptables -A INPUT -p tcp -i eth0 -m state –state NEW –dport 22 -m recent –set -j ACCEPT
These two rules makes iptables require 15 seconds between new connections from the same IP on port 22 (the SSH port). Use ACCEPT instead if you are using a firewall that has itâ€™s own rule for accepting ssh.
Another way of limiting dictionary attacks is to limit using -m limit â€“limit like this:
iptables -A INPUT -p tcp –dport ssh -m limit –limit 3/minute –limit-burst 2 -j ACCEPT
This rule does the trick of setting a limit of 3 connectoins pr minute, but the first two connections will
exhaust the limit-burst, so the rule effectively limits the connection attempt rate to 1/minute.
One final example:
iptables -A INPUT -p tcp -m tcp –dport 22 -m recent –update –seconds 60 –hitcount 5 –rttl –name SSH –rsource -j DROP
No Comments »