Change max connections to CP and disable logging

michel2013 · Apr 25, 2014, 12:52 PM

Because of a lot of keep alive functionality of unregistered mobile devices I see a lot of

Apr 25 14:13:02 ***  lighttpd[50414]: (mod_evasive.c.183) 192.168.**.**  turned away. Too many connections.

Log rules.

How is it possible to limit the max connections to the CP per 'user ? is this the option Maximum concurrent connections ? Because currently it is set to 4 and this doesn't seem to help much.
Can somebody tell me more about how the 4 connections is calculated? Something like 4 request allowed in 1 minute? Or what is exactly meant with 'concurrent connections' in terms of HTTP(S) request per minute? otherwise it seems best to set it to 1. Because a lot of people doesn't register their device but keeps the connection open to the Wifi and thereby the captive portal with apps like whatsapp and facebook.

And how to disable the log described above?

Thanks in advance

eri-- · Apr 25, 2014, 12:56 PM

Nope that is not the CP feature.
lighty itself has this feature of locking abusers.

Someone or something is making too many queries to the CP.

michel2013 · Apr 25, 2014, 12:59 PM

@ermal:

Nope that is not the CP feature.
lighty itself has this feature of locking abusers.

Someone or something is making too many queries to the CP.

That is correct. When I sniff the IP I see a lot of request to Facebook, Google Samsung etc. etc..
Any idea how to block these kind of connection requests?

Gertjan · Apr 25, 2014, 1:39 PM

Not a good idea.
These request will trigger the portal login page, which will not be shown to some one, as I understood it concerns background polling of cell phones etc.
But: finally, the user would open up his facebook account ….. and unable to login the portal interface because it blocked that user. The guy will look for you to unblock him (hummm, so you can tell him he is punished because his device is hammering your network ;)).

I don't know of the 'log' daemon of pfSense supports discarding - if it does, think about throwing away multiple "mod_evasive.c" lines.

michel2013 · Apr 25, 2014, 1:58 PM

@Gertjan:

Not a good idea.
These request will trigger the portal login page, which will not be shown to some one, as I understood it concerns background polling of cell phones etc.
But: finally, the user would open up his facebook account ….. and unable to login the portal interface because it blocked that user. The guy will look for you to unblock him (hummm, so you can tell him he is punished because his device is hammering your network ;)).

I don't know of the 'log' daemon of pfSense supports discarding - if it does, think about throwing away multiple "mod_evasive.c" lines.

Good point. Clients needs to pay first before I 'unblock' them :-) (I implemented a online pay system above the captive portal)

When I look at the source of 'mod_evasive.c' the max_connections is actually a config property (can not see yet where it set) and if I like I can remove the log rule.


if (conns_by_ip > p->conf.max_conns) {
 log_error_write(srv, __FILE__, __LINE__, "ss",
 inet_ntop_cache_get_ip(srv, &(con->dst_addr)),
 "turned away. Too many connections.");
 con->http_status = 403;
 con->mode = DIRECT;
 return HANDLER_FINISHED;
}

Thanks!