Hi, Derek, Thanks for your suggestions. However, this is not exactly what I want. The service is running in the server. Users can only connect to the server using an assigned TCP port and a password. This service using port/password to identify a user. Different users will get different ports and their own unique password. For example, user A will connect to port 8001 using password "testpassword". User B will connect to port 8002 using password "testpassword2". Every user has to pay a fee to use the service. This works very well if no user shares port/password with other people. To reduce this passowrd/port sharing issue, I propose to limit the number of ip addresses connected to a port. If a user A (assigned port 8010) shares his/her password with a person C, user A can connect to port 8010 and use the service. If at the same time the person C tries to connect to port 8010 from another ip address. the firewall should decline the new connection. I also check the connections and I see one user can have many connections to the assigned port at the same time. So, I cannot use the number of active connections on a port to solve this issue. The only thing I can think about is using IP address. I think video service providers like hulu and netflix face the same issue. But, I don't know how they deal with the password sharing issue.
I hope I explained the issue clearly. BTW, I don't have the source code of the service, so I cannot change the service itself. Thanks a lot! Tom On Wed, Nov 1, 2017 at 10:54 AM, Derek Atkins <[email protected]> wrote: > Tom, > > Tom Luo <[email protected]> writes: > > > Yes. I want only one IP gets access to the service. However, I don't own > > this application and I don't have the source code. That is why I can only > > using firewall to handle it. > > If there is no software capable to handle this, I am thinking about > writing > > a shell script to do it myself. > > Just so I understand: You have a service running on a server which > *anyone* can use. But once *someone* is using it, further connections > can only come from that single IP address. And then, once all > connections drop again (i.e., nobody is using the service), then it > opens up to anyone on any IP address again until someone else connects? > > Do I have this right? > > If so, I'm honestly not sure how to do this outside the application > itself. You MIGHT be able to do it with tcp_wrappers with some state on > the machine for the number of open connections. > > Another option is that you MIGHT be able to do this with something like > fail2ban + firewalld. Every time there is a first-time connection then > you add a firewall rule that limits access to only that IP address, and > then once the user "logs out" you remove that restriction. Of course > you would need to ensure that the connection/disconnection get logged > properly, and you'd need to write the fail2ban scripts. > > If you cannot modify the application itself then this might be > challenging to get all the connect/disconnect messages to properly line > up. > > > Thanks, > > -derek > > -- > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > Member, MIT Student Information Processing Board (SIPB) > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH > [email protected] PGP key available > _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
