Nginx – How to find the connection time-out value in linux

ddoskeepalivenginxtimeout

I am setting up a nginx webserver with php-fpm and (d)dos deflate to ban attacks.

Now currently there is no traffic to my server at all, as i'm testing things.

With this command i can see who is connected to my server, and how many connections they have open:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort
-n

During testing I noticed that when I would load a test script which is basicly <?php phpinfo(); ?> it would start 3 connections. I guess 1 for the HTML an 2 for the 2 images on that page. All is fine so far…

But I noticed it took well over a minute before those 3 connections where closed. I kept running the above netstat command to see if those 3 external connections would close.

My nginx.conf has a keep alive timeout of 4.

  keepalive_timeout       4;

The connection was made via a default setup Chrome browser.

How come those connections stayed open so long, and is this normal? Also, is there a way I can close them sooner?

Best Answer

You can increase or decrease timeouts on TCP sockets using the file tcp_keepalive_time found on the directory /proc/sys/net/ipv4/ .

The default timeout value is 7200 (2 hours).

For example, to change into 1200 seconds issue the command as below:

#echo 1200 > /proc/sys/net/ipv4/tcp_keepalive_time

Related Solutions

Iis – the IIS7 default keepalive time

The default connection timeout in IIS7 is 2 minutes. Click on your web site in IIS Mgr, click Advanced Settings, and expand Connection Limits. The Connection Timeout (Seconds) setting is what governs this. If IIS doesn't receive activity on a connection for this duration then it will time the connection out. This is regardless of whether or not the connection was requested as a keep-alive. You will, of course, have to have keep-alives enabled for this to be a "keep-alive timeout". Keep-alive is enabled by default in IIS.

You can also set it for the site in the applicationHost.config file using the <limits> and the connectionTimeout attribute.

<limits connectionTimeout="00:02:00" />

This will set the timeout value to 2 minutes.

Linux Apache DDOS – How to Find Out IPs During a DDOS Attack

tail -n 10000 yourweblog.log|cut -f 1 -d ' '|sort|uniq -c|sort -nr|more

Take a look at the top IP addresses. If any stand out from the others, those would be the ones to firewall.

netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

This will look at the currently active connections to see if there are any IPs connecting to port 80. You might need to alter the cut -c 45- as the IP address may not start at column 45. If someone was doing a UDP flood to your webserver, this would pick it up as well.

On the off chance that neither of these show any IPs that are excessively out of the norm, you would need to assume that you have a botnet attacking you and would need to look for particular patterns in the logs to see what they are doing. A common attack against wordpress sites is:

GET /index.php? HTTP/1.0

If you look through the access logs for your website, you might be able to do something like:

cut -f 2 -d '"' yourweblog.log|cut -f 2 -d ' '|sort|uniq -c|sort -nr|more

which would show you the most commonly hit URLs. You might find that they are hitting a particular script rather than loading the entire site.

cut -f 4 -d '"' yourweblog.log|sort|uniq -c|sort -nr|more

would allow you to see common UserAgents. It is possible that they are using a single UserAgent in their attack.

The trick is to find something in common with the attack traffic that doesn't exist in your normal traffic and then filter that through iptables, mod_rewrite or upstream with your webhost. If you are getting hit with Slowloris, Apache 2.2.15 now has the reqtimeout module which allows you to configure some settings to better protect against Slowloris.

Best Answer

Related Solutions

Iis – the IIS7 default keepalive time

Linux Apache DDOS – How to Find Out IPs During a DDOS Attack

Related Topic