Recent

Author Topic: Prevent too many connect attempts.  (Read 783 times)

kapibara

  • Sr. Member
  • ****
  • Posts: 493
Prevent too many connect attempts.
« on: December 04, 2018, 04:31:04 am »
Using indy for a TCP/IP server, is it possible to prevent a user from trying to connect too often?
Lazarus trunk / fpc 3.0.4 / Debian Stretch 64-bit

sash

  • Full Member
  • ***
  • Posts: 158
Re: Prevent too many connect attempts.
« Reply #1 on: December 04, 2018, 10:58:19 am »
Broad answer to a broad question:
At server side, you cannot prevent anything one does at the other (client) side.

However, on a server you can limit (drop) connections by their max total number, or based on some session mechanism.
Lazarus 1.8.4 Unversioned directory FPC 3.0.4 x86_64-linux-gtk2 -- Ubuntu 18.04 XFCE

Thaddy

  • Hero Member
  • *****
  • Posts: 7182
Re: Prevent too many connect attempts.
« Reply #2 on: December 04, 2018, 11:54:57 am »
Yes, you need a simple stack per connection that pushes the ip address and drop connection on sizeof(stack).
A better way is to use some software like fail2ban which does that for you. It is only a first line of defense, mind you, but that is what I use -among other protections - and works.

Similar software as fail2ban can be written in fpc, if you are a purist, but I would not take the trouble.
https://en.wikipedia.org/wiki/Fail2ban which also links to similar industry standards.

I personally have much pleasure in finding out the idiots....and reading logs.. 8-)
« Last Edit: December 04, 2018, 12:03:39 pm by Thaddy »
inline variables like in D10.3 are a bit like Brexit: if you are given the wrong information it sounds like a good idea. Every kid loves candy, but it makes you fat and your teeth will disappear.

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 515
    • Lebeau Software
Re: Prevent too many connect attempts.
« Reply #3 on: December 04, 2018, 08:47:18 pm »
Using indy for a TCP/IP server, is it possible to prevent a user from trying to connect too often?

Not directly, no.  You would have to keep track of client information over time (IP, username, whatever), and then whenever a new client connects, close that connection immediately if that client is already being tracked and it is too soon for that client to be allowed to reconnect.

On Windows only, a slight variation of this would be to define your own class that derives from Indy's TIdStackWindows class, and then call Indy's IdStack.SetStackClass() function during app startup.  Have your derived class override the virtual Accept() method to call Winsock's WSAAccept() function instead of the BSD-style accept() function that TIdStackWindows.Accept() calls by default.  WSAAccept() allows you to use a callback function to accept/reject clients while they are still in the server socket's backlog before they are accepted by the application.  Thus, Indy would not even see any clients that you decided to reject, and so won't waste any time and resources on them.

That being said, this is probably something that would be better handled using a load balancer, firewall, etc, sitting in front of the server, not handled in the server's own code.
« Last Edit: December 04, 2018, 08:58:26 pm by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

kapibara

  • Sr. Member
  • ****
  • Posts: 493
Re: Prevent too many connect attempts.
« Reply #4 on: December 05, 2018, 02:36:44 am »
Thanks, then I'll handle it with software outside of the server code.
Lazarus trunk / fpc 3.0.4 / Debian Stretch 64-bit