HOW TO LIMIT MAXIMUM CONNECTIONS IN YOUR SERVER:

Most Internet Download Manager apps like IDM and DAP will try to establish parallel connections to a download server hence user can gain faster download speed. In the other hand, with the numbers of connections established and multiplied with how many users connected and establishing parallel connections at once, that can take the server down. So this article will show you how to limit the number of maximum connections coming from a single IP to your server to avoid traffic flooding. This will be useful if you want to build file sharing site or RapidLeech transloading server.

That’s not all. Most modern web browsers use multiple connections to speed up loading speed to the server. So it is a good practice to always set the number allowed maximum connections from every single IP. However it is also not so good to allow only single connection per IP as users will feel your website is too slow to load compared to other sites. Most servers set the number to 20 maximum connections at once but that number is really up to Admin’s will. There is no exact number you have to set. This way you can restrict the number of maximum connections allowed for a single IP to your server via port 80 (default http port).

p.s: Every time I say “server” means either VPS (virtual private server) or Dedicated server. In this guide I use Ubuntu-based server but other Distros should be similar (not exactly the same but similar)

FIREWALL CONFIG: USING IPTABLES

Step 1 – Login to your server via SSH.

What Is SSH?

One essential tool to master as a system administrator is SSH.

SSH, or Secure Shell, is a protocol used to securely log onto remote systems. It is the most common way to access remote Linux and Unix-like servers, such as VPS instances.

In this guide, we will discuss how to use SSH to connect to a remote system.

 

How Does SSH Work?

SSH works by connecting a client program to an ssh server.

In the above commands, ssh is the client program. The ssh server is already running on the remote_hostthat we specified.

In your VPS, the sshd server should already be running. If this is not the case, click on the Console Accessbutton from your droplet page:

1

You will be presented with a login screen:

2

Log in with your credentials.

The process needed to start an ssh server depends on the distribution of Linux that you are using.

On Ubuntu, you can start the ssh server on the VPS by typing:

sudo service ssh start

That should start the sshd server and you can then log in remotely.

How To Configure SSH

When you change the configuration of SSH, you are changing the settings of the sshd server.

In Ubuntu, the main sshd configuration file is located at /etc/ssh/sshd_config.

Back up the current version of this file before editing:

sudo cp /etc/ssh/sshd_config{,.bak}

Open it with a text editor:

sudo nano /etc/ssh/sshd_config

You will want to leave most of the options in this file alone. However, there are a few you may want to take a look at:

Port 22

The port declaration specifies which port the sshd server will listen on for connections. By default, this is 22.

It may be a good idea to change this to a non-standard port to help obscure your server from random port scans. If you do change your port, we will show you how to connect to the new port later on.

HostKey /etc/ssh/ssh_host_rsa_keyHostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_key

The host keys declarations specify where to look for global host keys. We will discuss what a host key is later.

SyslogFacility AUTHLogLevel INFO

These two items indicate the level of logging that should occur.

If you are having difficulties with SSH, increasing the amount of logging may be a good way to discover what the issue is.

LoginGraceTime 120PermitRootLogin yesStrictModes yes

These parameters specify some of the login information.

LoginGraceTime specifies how many seconds to keep the connection alive without successfully logging in.

It may be a good idea to set this time just a little bit higher than the amount of time it takes you to log in normally.

PermitRootLogin selects whether root is allowed to log in.

In most cases, this should be changed to “no” when you have created user account that has access to elevated privileges (through su or sudo) and can log in through ssh.

strictModes is a safety guard that will refuse a login attempt if the authentication files are readable by everyone.

This prevents login attempts when the configuration files are not secure.

X11Forwarding yesX11DisplayOffset 10

These parameters configure an ability called X11 Forwarding. This allows you to view a remote system’s graphical user interface (GUI) on the local system.

This option must be enabled on the server and given with the client during connection with the “-X” option.

If you changed any settings in this file, make sure you restart your sshd server to implement your modifications:

sudo service ssh restart

You should thoroughly test your changes to ensure that they operate in the way you expect.

It may be a good idea to have a few sessions active when you are making changes. This will allow you to revert the configuration if necessary.

If you run into problems, remember that you can log in through the Console Access button on your droplet page.

 

Step 2 – Issue following command to iptables rule to restrict connections to only N numbers. Of course change N to the number you want.

Default command syntax for Firewall config:

 

iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset

change $port to port number you wish to limit the connection. Change it to 80 for http, or 22 for SSH (that if you never change it). Example, how to limit maximum numbers to 20 allowed connections:

 

iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset

example for that command can be seen in the following picture:

3

This specific command will limit allowed SSH connection per single IP to only 3 connections:

iptables  -A INPUT -p tcp –syn –dport 22 -m connlimit

–connlimit-above 3 -j REJECT

Or this syntax in RedHat and friends:

/sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit

–connlimit-above 20 -j REJECT –reject-with tcp-reset

Step 3 – Once done, you may also need to save that configuration. In RedHat and friends can use this command:

service iptables save

Or save that currently active iptables rule to a file using this command syntax (Ubuntu, Debian and friends):

iptables-save > /etc/iptables.up.rules

Now you will see the following screen:

4

Step 4 – However following above steps only will make Iptables rules gets flushed each time the server gets rebooted. Hence you may also need to issue this command:

First, lets create a new file that gets called every time the network interface is getting enabled:

nano /etc/network/if-pre-up.d/iptables

5

Step 5 – Once Nano editor is launched, add following lines to reload the Iptables rules:

1

2

#!/bin/bash

/sbin/iptables-restore < /etc/iptables.up.rules

Once done hit Control+O to save then Control+X to exit Nano text editor.

6

Step 6 – Now all you need to do is to set +x permission so that newly created file can be executed:

1 chmod +x /etc/network/if-pre-up.d/iptables

111

That is it. By following step 3 – 6 above your Iptables config will retain and reloaded whenever you reboot your server.

Here it is an example. I set my server to only allow 5 maximum allowed connections:

Before:

Now you will see the following screen:

 

 7

 

And here’s after:

Now you will see the following screen:

8

OTHER USEFUL IPTABLES COMMANDS

This command allows you to see current Iptables rules:

iptables –L

Will give you output like this:

9

Need to reset all above configurations and bring back Iptables to default config? Use this command to flush current active Iptables rules:

iptables –F

And see how it looks like:

10

Enjoy.

 

2 Shares
+1
Tweet
Share1
Pin1
Share