Thursday, March 14, 2013

counting connections to my server and limit connections by IP

Today I was informed by Amazon that I was being hacked. : - o

I learned to count the connection that where being made to my server with a very pretty command:

sudo netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

There were some 'mean' Indonesians and Slovakians opening a lot of connection to my server, so the output of the command looked like:

sudo netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n


Having Apache allowing 300 connections (directive MaxClients in apache2.conf), and ServerLimit 500 (ServerLimit directive), this connections from weird countries I shouldn't have visitors from rapidly collapsed my site and it was down

iptables to the rescue:

I found this simple tutorial: to configure IPTABLES, and this other one to learn a bit more about the command:

In the end, it was enough to do

sudo iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-rese

and then

sudo sh -c "iptables-save > /etc/iptables.rules"

to save the configuration into a file that is loaded at boot. Watch out dont overwrite the /etc/iptables.rules if you have any.

After this commands my site was up again, and I had learned a lot.

here is the tutorial I followed (iptables is pretty standard, so its not necessary to reproduce it here):

Iptables Limits Connections Per IP

by on February 7, 2010 · 29 comments· last updated at February 9, 2010
How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables? You need to use the connlimit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
This is useful to protect your server or vps box against flooding, spamming or content scraping.


The syntax is as follows:
/sbin/iptables -A INPUT -p tcp --syn --dport $port -m connlimit --connlimit-above N -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssg connections per client host:
/sbin/iptables  -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):
WARNING! Please note that large proxy servers may legitimately create a large number of connections to your server. You can skip those ips using ! syntax
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page, the following is redhat and friends specific command
service iptables save
Skip proxy server IP from this kind of limitations:
/sbin/iptables -A INPUT -p tcp --syn --dport 80 -d ! -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset

Example: Class C Limitations

In this example, limit the parallel http requests to 20 per class C sized network (24 bit netmask)
/sbin/iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j REJECT --reject-with tcp-reset
# save the changes see iptables-save man page
service iptables save

Example: Limit Connections Per Second

The following example will drop incoming connections if IP make more than 10 connection attempts to port 80 within 100 seconds (add rules to your iptables shell script)
# Max connection in seconds
# Max connections per IP
# ....
# ..
# default action can be DROP or REJECT
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
# ....
# ..

How Do I Test My Firewall Working?

Use the following shell script to connect to your web server hosted at
for i in {1..100}
  # do nothing just connect and exit
  echo "exit" | nc ${ip} ${port};


Wednesday, March 6, 2013

for loop inline bash style AND while ... loop

So simple, yet I always forget.

Here's how to do a for loop in inline bash:

for x in {1..30}; do foo1; foo2; done

Also how to do an inline while loop in bash:

while true; do foo; sleep 2; done

copy hidden files when using 'cp'

To copy hidden files when using 'cp' don't specify the files being copied..

Don't specify the files:
cp -r /etc/skel /home/user

Sunday, March 3, 2013

cakephp 1.3 migration to 2.3.1

I decided to migrate one of my apps (one of the easiest) from cakephp 1.3 to 2.3.1

Although the cakaphp upgrade shell is magnificent upgrading my code, it doesn't to all (obviously).

Problems I encountered:

  • upgrading plugins
    • I was lucky I think all my plugins had a 2.x branch
  • One to manually upgrade webroot/index.php file
  • One has to manually merge Config/core.php file with your old one
  • Im 1.3 I used $this->view = 'MyView'  in app_controller to use my own view class. This changed to $this->viewClass
  • I also had to update my legacy code.
    • That is to change some things from 1.2 style to 1.3 style... which was already compatble with 2.3.1 !
      • that included basically changing
        • $this->Javascript->link to $this->Html->script
        • $this->Javascript->codeBlock to $this->Html->scriptBlock
        • $this->Javascript->object to $this->JsBaseEngine->object
        • this was easily done with find && sed:
find . -type f -exec sed -i -e "s/Javascript->link/Html->script/g" {} \;
find . -type f -exec sed -i -e "s/Javascript->codeBlock/Html->scriptBlock/g" {} \;
find . -type f -exec sed -i -e "s/Javascript->link/Html->script/g" {} \;

cancel script completely on ctrl-c

I found this question interesting: basically how to cancel completely a script and all child processes : You do this by creating a subro...