[389-users] Safeguarding against to many established connections
Gerrard.Geldenhuis at betfair.com
Tue Oct 19 10:34:39 UTC 2010
>From: 389-users-bounces at lists.fedoraproject.org [389-users-bounces at lists.fedoraproject.org] on behalf of Daniel Maher [dma+389users at witbe.net]
>Sent: 19 October 2010 11:16
>To: 389-users at lists.fedoraproject.org
>Subject: Re: [389-users] Safeguarding against to many established connections
>On 10/19/2010 12:11 PM, Gerrard Geldenhuis wrote:
>> We have recently seen an issue were a single client opened up more than 800 established connections to our directory server. The client did have the proper settings configured and should have closed >connections but it did'nt. Is there a way to limit the amount of connections per client or close connections from the server side after a certain period? Without just making the amount of connections ridicuosly >high on the directory server how can you safeguard against rogue clients.
>> Our client setting is as follows:
>> idle_timelimit 5
>> timelimit 10
>> bind_timelimit 5
>> We were unable to log into client and it had file system issues so we could not do any further analyses there.
>> I suspect that solutions to this problem probably falls outside of what can be configured in 389?
>While it's not a 389-specific suggestion, iptables could easily solve
>this problem for you across the board. :)
I would be keen on such a solution but from a company point of view it is "non-standard" so I would need to do a bit of convincing and/arm twisting.
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
More information about the 389-users