Re: limit connections
Hi Shawn, Am Freitag, den 23.12.2016, 16:01 + schrieb Shawn Bakhtiar via Info-cyrus: > Well... you really should take this to the Ubuntu iptables; Start > there and they may be able to give you a better mail list that deals > specifically with iptables: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-users > > > Having said that you don't necessarily need to use > the iptables-extensions --rsource option, you can just use --limit > which is in the standard iptables. This is a debian example but works > for any iptables based system: > https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections > > > However, I digress, back to the topic at hand, doing this, is going to > send the users client (based on the client) into a tif. It's going to > assume the server has gone down and warn the user about a lost > connection, I imaging a user who is unwilling to change his pop > interval is going to be even more pissed at having his client pop up > with connection lost messages. > > > IMHO it would be far more professional to first implement a rule > change (update their agreement, or make a corporate policy change) > than inform users not following those policies/agreements that if they > don't comply their accounts will be disabled. This is not only good > corporate governance but it is also non-discriminatory, which means > the offending user is far less likely to be mad, and far more > embarrassed that it had to come to this. > > > Doing what your trying to do, is going to make it look like your > servers are not working. The user may not understand why every so > often the client complains that the connection to the server is not > working, and in fact may result in breach of contract/policy if no > previous policy/agreement has been put into place regarding the issue. > Thanks for time. I definitely agree to your arguments and I'm on not that kind of BOFH, who harms users. But if you ask over weeks to stop that nonsense and the user reduces the interval from 30 seconds to 2 seconds, it's time to play a harder game. And yes, there is an contract, which allows me to disable accounts or block connections, if a user harms, attacks or penetrates the system. Technically the client is an exchange server using popcon to fetch emails. So I guess they will have some errors in log files of their wild running box, if I block new established connections in between. Happy Christmas to all, have a good time and hope to read you next year! Cheers, Marcus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
Re: limit connections
Well... you really should take this to the Ubuntu iptables; Start there and they may be able to give you a better mail list that deals specifically with iptables: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users Having said that you don't necessarily need to use the iptables-extensions --rsource option, you can just use --limit which is in the standard iptables. This is a debian example but works for any iptables based system: https://debian-administration.org/article/187/Using_iptables_to_rate-limit_incoming_connections However, I digress, back to the topic at hand, doing this, is going to send the users client (based on the client) into a tif. It's going to assume the server has gone down and warn the user about a lost connection, I imaging a user who is unwilling to change his pop interval is going to be even more pissed at having his client pop up with connection lost messages. IMHO it would be far more professional to first implement a rule change (update their agreement, or make a corporate policy change) than inform users not following those policies/agreements that if they don't comply their accounts will be disabled. This is not only good corporate governance but it is also non-discriminatory, which means the offending user is far less likely to be mad, and far more embarrassed that it had to come to this. Doing what your trying to do, is going to make it look like your servers are not working. The user may not understand why every so often the client complains that the connection to the server is not working, and in fact may result in breach of contract/policy if no previous policy/agreement has been put into place regarding the issue. On Dec 23, 2016, at 5:06 AM, Marcus Schopen via Info-cyrus> wrote: Hi Bron, I have a user, who logs in every 3 seconds(!) to pop3s with 20 accounts, completely resistent to change his pop interval. I'd like to limit him in the way to allow 20 new connections within 5 minutes, then block his IP for 5 minutes (he is using a static IP) and open the port after five minutes again. I tried the following rule, but that opens the port only if the client keeps quiet and doesn't connect while the block is set. Example: iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m recent --set --name pop3s --rsource iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 20 --name pop3s --rsource -j REJECT --reject-with icmp-port-unreachable I know this is off topic and not cyrus specific, but any help would be great. cyrus: 2.4.17 on Ubuntu 14.04 LTS. Ciao Marcus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
limit connections
Hi Bron, I have a user, who logs in every 3 seconds(!) to pop3s with 20 accounts, completely resistent to change his pop interval. I'd like to limit him in the way to allow 20 new connections within 5 minutes, then block his IP for 5 minutes (he is using a static IP) and open the port after five minutes again. I tried the following rule, but that opens the port only if the client keeps quiet and doesn't connect while the block is set. Example: iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m recent --set --name pop3s --rsource iptables -A INPUT -p tcp -m tcp --dport 995 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 20 --name pop3s --rsource -j REJECT --reject-with icmp-port-unreachable I know this is off topic and not cyrus specific, but any help would be great. cyrus: 2.4.17 on Ubuntu 14.04 LTS. Ciao Marcus Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus