[ATrpms-users] dl.atrpms.net connection problems

Axel Thimm Axel.Thimm at ATrpms.net
Wed Oct 24 16:59:42 CEST 2007 

On Thu, Oct 25, 2007 at 12:44:48AM +1000, Jean-Yves Avenard wrote:
> Hi
> 
> On 10/25/07, Axel Thimm <Axel.Thimm at atrpms.net> wrote:
> >
> > Yes, this IP was blocked for about 12h. It opened up 31 simulteaneous
> > TCP/IP connections. :/
> >
> > I raised the bar at 40 connections, let's see if that helps.
> 
> 31? when all I ran was yum install mythtv-suite ???
> 
> Could this be an issue with the http server which leaves connection
> open for a while rather than closing them instantly? i've seen this
> happening before and read tweaks on apache to prevent this...

No, that shouldn't be the case as I'm grepping away connections in
WAIT state (e.g. the connections that are in keepalive mode). Unless
my filtering is flawed somewhere. You can also test on the client side
by grepping the output of netstat.

> out of interest, which tool are you using IP's with too many active connections?

Tool? Hm, it's the following "tool" :)
(I removed some internal IPs and replaced them with XXXX)

#! /bin/sh

while /bin/true; do
/bin/cp -a /etc/blockedhosts /etc/blockedhosts.old
netstat -pan | grep -E 'XXXX:80' | grep -v TIME_WAIT | awk '{print $5}' \
 | sed -e's,:[^:]*$,,' -e's,.*:,,' |  sort | uniq -c | sort -n \
 | grep -v '^ *[0-9] ' \
 | grep -v '^ *[0-3][0-9] ' \
 | awk '{print $2 " " $1 " " '`date +%s`'}' \
 | grep -vf /etc/blockedhosts.plain \
 >> /etc/blockedhosts

netstat -pan | grep -E 'XXXX:80' | awk '{print $5}' \
 | sed -e's,:[^:]*$,,' -e's,.*:,,' |  sort | uniq -c | sort -n \
 | grep -v '^ *[0-9] ' \
 | grep -v '^ *[0-6][0-9] ' \
 | awk '{print $2 " " $1 " " '`date +%s`'}' \
 | grep -vf /etc/blockedhosts.plain \
 >> /etc/blockedhosts

sort -u -k3,3nr -k2,2n < /etc/blockedhosts | grep -vf /etc/whitelist | head -30 > /etc/blockedhosts.new
mv -f /etc/blockedhosts.new /etc/blockedhosts
awk '{print $1}' < /etc/blockedhosts > /etc/blockedhosts.plain
iptables -F INPUTBLOCK
for host in `awk '{print $1}' < /etc/blockedhosts` ; do
  iptables -A INPUTBLOCK -s $host -p tcp --dport 80 -j DROP
done
diff -dU0 /etc/blockedhosts.old /etc/blockedhosts
sleep 10
done
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.atrpms.net/pipermail/atrpms-users/attachments/20071024/f5a7eecb/attachment-0001.bin

More information about the atrpms-users mailing list