July 20th, 2008 : two lines...
Two lines... That's all what is needed with the new TCP content inspection system to stop half of the spams I got home. One of my major customers who uses HAProxy a lot has sponsored the development of some preliminary content inspection which is used to decide whether to forward a connection or not. The very first usage of this feature consists in checking that only SSL is spoken on a connection. But most likely more protocols will come soon. As a nice side effect, I could now add a delay before the HELO message of my SMTP server, and reject all robots which talk first (forbidden). And since many spam bots have small timeout values, many of them abort before the timeout is reached, resulting in my incoming spam rate dropping from about 300/hour to "only" 150/hour. Those who keep up with the time out slow down due to limited resources. The small addition simply consists in adding those two lines in the frontend :
tcp-request inspect-delay 35s
tcp-request content reject if REQ_CONTENT
在process_cli中增加了一个状态CL_STINSPECT用于处理4层数据规则的状态,这样就很容易根据tcp的内容做判断决定拒绝连接或者如何转发后端等事务。
强!
Two lines... That's all what is needed with the new TCP content inspection system to stop half of the spams I got home. One of my major customers who uses HAProxy a lot has sponsored the development of some preliminary content inspection which is used to decide whether to forward a connection or not. The very first usage of this feature consists in checking that only SSL is spoken on a connection. But most likely more protocols will come soon. As a nice side effect, I could now add a delay before the HELO message of my SMTP server, and reject all robots which talk first (forbidden). And since many spam bots have small timeout values, many of them abort before the timeout is reached, resulting in my incoming spam rate dropping from about 300/hour to "only" 150/hour. Those who keep up with the time out slow down due to limited resources. The small addition simply consists in adding those two lines in the frontend :
tcp-request inspect-delay 35s
tcp-request content reject if REQ_CONTENT
在process_cli中增加了一个状态CL_STINSPECT用于处理4层数据规则的状态,这样就很容易根据tcp的内容做判断决定拒绝连接或者如何转发后端等事务。
强!
扫一扫
1514
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
