/proc/net/nf_conntrack more than 60K lines
Hello,
my cpanel server is on the OpenVZ VPS and i do:
wc -l /proc/net/nf_conntrack
62109 /proc/net/nf_conntrack
sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max net.netfilter.nf_conntrack_count = 62095 net.nf_conntrack_max = 65536
tail & head on /proc/net/nf_conntrack shows connection like this one (ESTABLISHED, ASSURED) ipv4 2 tcp 6 401407 ESTABLISHED src=SOMEONEELSEIP dst=MYSERVERIPHERE sport=53375 dport=80 src=MYSERVERIPHERE dst=SOMEONEELSEIP sport=80 dport=53375 [ASSURED] mark=0 secmark=0 use=2
Apacheshows that many different IPs (800+) trying to connect one web directory (which is empty), the connection speed can be like 5 IPs per second. cat /etc/sysctl.conf | grep = net.ipv4.ip_forward = 0 # net.ipv4.conf.default.rp_filter = 1 # net.ipv4.conf.default.accept_source_route = 0 # kernel.sysrq = 0 # kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # kernel.msgmnb = 65536 # kernel.msgmax = 65536 # kernel.shmmax = 68719476736 # kernel.shmall = 4294967296
i tried to add these lines into above file, but conntrack table do not decrease: net.netfilter.nf_conntrack_tcp_timeout_established = 600 net.netfilter.nf_conntrack_generic_timeout = 120 then i tried # sysctl -p net.ipv4.ip_forward = 0 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key error: permission denied on key 'net.netfilter.nf_conntrack_tcp_timeout_established' error: permission denied on key 'net.netfilter.nf_conntrack_generic_timeout'
# sysctl -a | grep conn | grep time net.netfilter.nf_conntrack_generic_timeout = 600 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60 net.netfilter.nf_conntrack_tcp_timeout_established = 432000 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close = 10 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300 net.netfilter.nf_conntrack_udp_timeout = 30 net.netfilter.nf_conntrack_udp_timeout_stream = 180 net.netfilter.nf_conntrack_icmp_timeout = 30 net.netfilter.nf_conntrack_events_retry_timeout = 15
I want to ask for kind advice how can anyhow secure server to prevent such high number of lines in connection tracking table? And if i can temporarily clean that table, how? Thank you
sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max net.netfilter.nf_conntrack_count = 62095 net.nf_conntrack_max = 65536
tail & head on /proc/net/nf_conntrack shows connection like this one (ESTABLISHED, ASSURED) ipv4 2 tcp 6 401407 ESTABLISHED src=SOMEONEELSEIP dst=MYSERVERIPHERE sport=53375 dport=80 src=MYSERVERIPHERE dst=SOMEONEELSEIP sport=80 dport=53375 [ASSURED] mark=0 secmark=0 use=2
Apacheshows that many different IPs (800+) trying to connect one web directory (which is empty), the connection speed can be like 5 IPs per second. cat /etc/sysctl.conf | grep = net.ipv4.ip_forward = 0 # net.ipv4.conf.default.rp_filter = 1 # net.ipv4.conf.default.accept_source_route = 0 # kernel.sysrq = 0 # kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # kernel.msgmnb = 65536 # kernel.msgmax = 65536 # kernel.shmmax = 68719476736 # kernel.shmall = 4294967296
i tried to add these lines into above file, but conntrack table do not decrease: net.netfilter.nf_conntrack_tcp_timeout_established = 600 net.netfilter.nf_conntrack_generic_timeout = 120 then i tried # sysctl -p net.ipv4.ip_forward = 0 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key error: permission denied on key 'net.netfilter.nf_conntrack_tcp_timeout_established' error: permission denied on key 'net.netfilter.nf_conntrack_generic_timeout'
# sysctl -a | grep conn | grep time net.netfilter.nf_conntrack_generic_timeout = 600 net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120 net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60 net.netfilter.nf_conntrack_tcp_timeout_established = 432000 net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close = 10 net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300 net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300 net.netfilter.nf_conntrack_udp_timeout = 30 net.netfilter.nf_conntrack_udp_timeout_stream = 180 net.netfilter.nf_conntrack_icmp_timeout = 30 net.netfilter.nf_conntrack_events_retry_timeout = 15
I want to ask for kind advice how can anyhow secure server to prevent such high number of lines in connection tracking table? And if i can temporarily clean that table, how? Thank you
-
Hello :) You may want to consult with your VPS hosting provider so they can verify the values you are modifying are suitable for the OpenVZ environment your VPS is hosted on. Thank you. 0 -
There is no VPS provider in my case. It may help to reduce established connections timeout or other timeouts and then prunning conntrack table using conntrack tool from "conntrack-tools" package (conntrack-tools: Netfilter's connection tracking userspace tools), command: conntrack -D -d myserverip 0
Please sign in to leave a comment.
Comments
2 comments