Mailinglist Archive: proxy-suite (11 mails)
| < Previous | Next > |
Re: [proxy-suite] ForkLimits?
- From: Marius Tomaschewski <mt@xxxxxxx>
- Date: Mon, 24 Jul 2000 10:13:57 +0000 (UTC)
- Message-id: <20000724121134.A2622@xxxxxxx>
On Fri, Jul 21, 2000 at 12:25:28PM +0200, Lukas Zapletal wrote:
> Sometimes ftp-proxy (transparent version) logs me off the server. In the log
> i have found several messages:
>
> ftp-proxy [17506] <07/21-12:23:16> USER-ERR reject: '172.20.1.206'
> (ForkLimit 40)
>
> What it means? I didn`t set any limit and user from 206 was only scanning
> ports on our sever...
Add i.e. "ForkLimit 128" to the /etc/proxy-suite/ftp-proxy.conf.
It's an undocumented feature.... see also MaxClients (default=64).
==> ftp-daemon.c:
#define MAX_FORKS 40 /* Default fork-resource-limit */
/*
** Check whether to limit the number of incoming
** client connections per minute. Use half values
** each to avoid "neighborhood effects". This is
** effectively a Denial of Service prevention.
*/
if ((cnt = config_int(NULL, "ForkLimit", MAX_FORKS)) > 0) {
slice = time(NULL) / (FORK_INTERVAL / 2);
if (slice != last_slice) {
last_slice = slice;
last_count = 0;
}
if (++last_count >= (cnt / 2)) {
close(sock);
syslog_write(U_ERR,
"reject: '%s' (ForkLimit %d)",
peer, cnt);
return;
}
}
Regards,
Marius Tomaschewski <mt@xxxxxxx>
--
SuSE GmbH, Buero Hamburg -- Product and Tool Developement
PGP public key available: http://www.suse.de/~mt/mt.pgp
Fprint: EA 1F 92 75 1A F9 82 07 A1 28 DE 7A 32 E8 97 18
> Sometimes ftp-proxy (transparent version) logs me off the server. In the log
> i have found several messages:
>
> ftp-proxy [17506] <07/21-12:23:16> USER-ERR reject: '172.20.1.206'
> (ForkLimit 40)
>
> What it means? I didn`t set any limit and user from 206 was only scanning
> ports on our sever...
Add i.e. "ForkLimit 128" to the /etc/proxy-suite/ftp-proxy.conf.
It's an undocumented feature.... see also MaxClients (default=64).
==> ftp-daemon.c:
#define MAX_FORKS 40 /* Default fork-resource-limit */
/*
** Check whether to limit the number of incoming
** client connections per minute. Use half values
** each to avoid "neighborhood effects". This is
** effectively a Denial of Service prevention.
*/
if ((cnt = config_int(NULL, "ForkLimit", MAX_FORKS)) > 0) {
slice = time(NULL) / (FORK_INTERVAL / 2);
if (slice != last_slice) {
last_slice = slice;
last_count = 0;
}
if (++last_count >= (cnt / 2)) {
close(sock);
syslog_write(U_ERR,
"reject: '%s' (ForkLimit %d)",
peer, cnt);
return;
}
}
Regards,
Marius Tomaschewski <mt@xxxxxxx>
--
SuSE GmbH, Buero Hamburg -- Product and Tool Developement
PGP public key available: http://www.suse.de/~mt/mt.pgp
Fprint: EA 1F 92 75 1A F9 82 07 A1 28 DE 7A 32 E8 97 18
| < Previous | Next > |