Hello,
On Mon, 12 Jan 2009 09:48:03 -0000 Norton, Ian wrote:
We had this problem with badly configured/behaving clients a while back
(with UW IMAP) and fixed it with some iptables rules:
[...]
I love iptables and am using them in many places, nice recipe.
The problem with iptables in general is that it is Linux specific (and not
all OSS software runs on linux boxes) and more importantly for me (all
Debian boxes here) that this assumes that the person or context running
them is allowed to utilize them. Specific example would be anything
running in a Vserver. Of course you can set iptable rules on the host, but
if the program in question has sensible options and is linked against
tcpwrappers usually that will suffice.
In my particular example the rate might not even have been that high to
trigger things, it was the fact that the connections lingered for over 20
minutes in pre-auth aka connect that exhausted the resources.
Also an IP based solution will need exceptions and monitoring for people
with multiple clients behind NAT (not uncommon here) and of course
something like a webmail server.
Regards,
Christian
--
Christian Balzer Network/Systems Engineer NOC
chibi(a)gol.com Global OnLine Japan/Fusion Network Services
http://www.gol.com/
https://secure3.gol.com/mod-pl/ols/index.cgi/?intr_id=F-2ECXvzcr6656