ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Connection Tracking: What are they doing?

https://mail.forum.configserver.com/viewtopic.php?t=142

Page 1 of 1

Connection Tracking: What are they doing?

Posted: 04 Jan 2007, 17:22
by richyc
Is it possible to add a new feature to CSF so that if an IP address is blocked due to exceeding the CT_LIMIT (Connection Tracking Limit) the email produced actually contains details of the connections in progress.

For example, instead of just:
From: root
To: root
Subject: lfd: 12.34.56.78 blocked with too many connections

Time: 04/Jan/2007 13:24
IP: 12.34.56.78
Connections: 400
Blocked: 3800
we get something like:
From: root
To: root
Subject: lfd: 12.34.56.78 blocked with too many connections

Time: 04/Jan/2007 13:24
IP: 12.34.56.78
Connections: 400
Blocked: 3800

tcp 0 0 127.0.0.1:80 12.34.56.78:2780 TIME_WAIT
tcp 0 0 127.0.0.1:80 12.34.56.78:20078 TIME_WAIT
tcp 0 0 127.0.0.1:80 12.34.56.78:19310 TIME_WAIT
tcp 0 0 127.0.0.1:80 12.34.56.78:2782 TIME_WAIT
This is so that we'll have a better idea of exactly why a user was blocked. Should be quite simple to modify the code IMHO.

Posted: 05 Jan 2007, 09:31
by chirpy
I'll look at adding that soon. The main reason for leaving it out is that if they have 600 odd connections, the email is going to be quite large.

Posted: 28 Feb 2007, 22:23
by alwaysweb
Agreed, one of our customers keeps tripping the Connection Tracking limits and getting blocked... Spoke to him several times about it and he insists he's simply editing his site through the Administrator interface in the "Joomla" CMS system...

But the CSF alert says otherwise:


Subject [lfd] server5: 1.2.3.4 (*****com) blocked with too many connections Show full header
Time: Wed Feb 28 14:59:06 2007
IP: 1.2.3.4 (*******.com)
Connections: 402
Blocked: temporarily



I don't happen to be at the terminal when it happens, so I haven't been able to catch the "netstat -nap | grep 1.2.3.4" output in time to see what was going on...

Chirpy, if you think the log would be too big (though I don't see a problem with that... even it was an MB or more) you could just save the log file in the /etc/csf/logs/lfd/ or some directory like that, with a filename to reflect the IP & date (2007-02-28 14:59:06 1.2.3.4.log

Posted: 05 Mar 2007, 09:50
by chirpy
The feature was added some time ago:
http://www.configserver.com/blog/index.php?itemid=156
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited