[389-users] Safeguarding against to many established connections

[Gerrard Geldenhuis]

>________________________________________
>From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users at witbe.net]
>Sent: 19 October 2010 11:16
>To: 389-users at lists.fedoraproject.org
>Subject: Re: [389-users] Safeguarding against to many established connections
>
>On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
>> Hi
>> We have recently seen an issue were a single client opened up more than 800 established connections to our directory server. The client did have the proper settings configured and should have closed >connections but it did'nt. Is there a way to limit the amount of connections per client or close connections from the server side after a certain period? Without just making the amount of connections ridicuosly >high on the directory server how can you safeguard against rogue clients.
>>
>> Our client setting is as follows:
>> idle_timelimit                  5
>> timelimit                       10
>> bind_timelimit                  5
>>
>> We were unable to log into client and it had file system issues so we could not do any further analyses there.
>>
>> I suspect that solutions to this problem probably falls outside of what can be configured in 389?
>
>While it's not a 389-specific suggestion, iptables could easily solve
>this problem for you across the board. :)
>

I would be keen on such a solution but from a company point of view it is "non-standard" so I would need to do a bit of convincing and/arm twisting.

Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________