On Mon, Feb 11, 2008 at 10:25:07PM -0800, Dennis Hilberg, Jr. has written: > Hi Richard, > > I've been running these scripts on my pool server for about five days now, > and they seem to work very well. Thank you for the contribution. I've > always had a fair share of abusive clients, according to the > ntp_clients_stats script that I run from Wayne Schlitt. At least now > there's an automated way to deal with them, instead of manually choosing > which client's requests to drop.
Thanks for this encouragement Dennis. > One thing I'm not quite clear on is the variables in the awk code in the > conntracka script. You have some brief comments in there, but I was > wondering if you could elaborate on them a bit, as I would like to tinker > around. I'm not fluent with awk, otherwise I'm sure I could figure it out. Surely. The point is to derive a number based on the historical presence of an ip in the /proc/net/ip_conntrac file which may well indicate a frequent user of udp port 123. We can't at this stage say that the ip is a bozo--that comes later. First of all, the counts of the last invocation are read in from the ntpconnhist file. These have the form IP COUNT. Every time we find a particular ip in the ip_conntrac we increase the count associated with the ip by a value held in incrcount. Then if this count has exceeded a maximum, held in maxcount, we reduce the count to the same maximum. The idea here is to stop things running away, which is probably not necessary! Each count is then "aged" so that entries are reduced, and ip activity which has now stopped is "forgotten" over time. This is done by multiplying each count by alpha. Then, if the count is less than a minimum threshold held in mincount the count and the ip are entirely forgotten. All other counts are written to the ntpconnhist file, to be used in the next invocation. Counts greater than hogcount have the ip written to the NTPHIUSE file, to be tested by conntrackb when that is run. Some constraints: 0.0 < alpha < 1.0 incrcount > 0 mincount < hogcount < maxcount The choice of values was determined more or less empirically. Note that using my values three consecutive appearances are required to push a count from 0 to something greater than my value of hogcount. To catch more frequent users you must decrease hogcount and/or decrease mincount. Remember past usage more clearly by increasing alpha. The only tuning of conntrackb concerns the setting of maxrate, which compares to the actual measured use by the ip in the update interval (1 hour for me). If you are running half-hourly so as to be more reactive then reduce my value by half. Hope this helps. -- Richard A Leach | Why look through windows when you can walk through gates? The great little festival -- http://www.PennineSpringMusic.co.uk A Centre of Excellence for Domestic Information Technology Solutions 5344.9735,N,00201.2268,W,263.0 _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
