Recent

Author Topic: Prevent too many connect attempts.  (Read 1947 times)

kapibara

  • Hero Member
  • *****
  • Posts: 504
Prevent too many connect attempts.
« on: December 04, 2018, 04:31:04 am »
Using indy for a TCP/IP server, is it possible to prevent a user from trying to connect too often?
Lazarus trunk / fpc 3.0.4 / Debian Stretch 64-bit

sash

  • Full Member
  • ***
  • Posts: 234
Re: Prevent too many connect attempts.
« Reply #1 on: December 04, 2018, 10:58:19 am »
Broad answer to a broad question:
At server side, you cannot prevent anything one does at the other (client) side.

However, on a server you can limit (drop) connections by their max total number, or based on some session mechanism.
Lazarus 2.0.2 FPC 3.0.4 x86_64-linux-gtk2 -- Ubuntu 19.04 XFCE

Thaddy

  • Hero Member
  • *****
  • Posts: 7884
Re: Prevent too many connect attempts.
« Reply #2 on: December 04, 2018, 11:54:57 am »
Yes, you need a simple stack per connection that pushes the ip address and drop connection on sizeof(stack).
A better way is to use some software like fail2ban which does that for you. It is only a first line of defense, mind you, but that is what I use -among other protections - and works.

Similar software as fail2ban can be written in fpc, if you are a purist, but I would not take the trouble.
https://en.wikipedia.org/wiki/Fail2ban which also links to similar industry standards.

I personally have much pleasure in finding out the idiots....and reading logs.. 8-)
« Last Edit: December 04, 2018, 12:03:39 pm by Thaddy »
Hamlet 1.4 (nothing wrong with the Danish, btw)

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 607
    • Lebeau Software
Re: Prevent too many connect attempts.
« Reply #3 on: December 04, 2018, 08:47:18 pm »
Using indy for a TCP/IP server, is it possible to prevent a user from trying to connect too often?

Not directly, no.  You would have to keep track of client information over time (IP, username, whatever), and then whenever a new client connects, close that connection immediately if that client is already being tracked and it is too soon for that client to be allowed to reconnect.

On Windows only, a slight variation of this would be to define your own class that derives from Indy's TIdStackWindows class, and then call Indy's IdStack.SetStackClass() function during app startup.  Have your derived class override the virtual Accept() method to call Winsock's WSAAccept() function instead of the BSD-style accept() function that TIdStackWindows.Accept() calls by default.  WSAAccept() allows you to use a callback function to accept/reject clients while they are still in the server socket's backlog before they are accepted by the application.  Thus, Indy would not even see any clients that you decided to reject, and so won't waste any time and resources on them.

That being said, this is probably something that would be better handled using a load balancer, firewall, etc, sitting in front of the server, not handled in the server's own code.
« Last Edit: December 04, 2018, 08:58:26 pm by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

kapibara

  • Hero Member
  • *****
  • Posts: 504
Re: Prevent too many connect attempts.
« Reply #4 on: December 05, 2018, 02:36:44 am »
Thanks, then I'll handle it with software outside of the server code.
Lazarus trunk / fpc 3.0.4 / Debian Stretch 64-bit