mod_bw vs mod_bwshare vs mod_cband

I know there is a lot of confusion over what to use and how to use it. This is what I've been able to gather from lightly looking over the documentation:

mod_bw: Will limit every user to a specific amount of bandwidth or limit the amount fo bandwidth per file type or file size.
Once you've "apt-get install libapache2-mod-bw" and restarted apache2, you can enter one of the configurations below in the custom directives for each subdomain:

Limit every user to a max of 10Kb/s on a vhost:
<IfModule mod_bw.c>
BandwidthModule On
ForceBandWidthModule On
Bandwidth all 10240
MinBandwidth all -1
</IfModule>

Limit al internal users to 1000 kb/s with a minimum of 50kb/s , and
files greater than 500kb to 50kb/s.
<IfModule mod_bw.c>
BandwidthModule On
ForceBandWidthModule On
Bandwidth all 1024000
MinBandwidth all 50000
LargeFileLimit * 500 50000
</IfModule>

Limit avi and mpg extensions to 20kb/s.
<IfModule mod_bw.c>
BandwidthModule On
ForceBandWidthModule On
LargeFileLimit .avi 1 20000
LargeFileLimit .mpg 1 20000
</IfModule>

mod_bwshare: Will limit how much bandwidth can be consumed with in a specified amount of time per IP from a specific directory or the whole site.
Once you've "apt-get install libapache2-mod-bwshare" and restarted apache2, you can enter one of the configuration below in the custom directives for each subdomain:

<IfModule mod_bwshare.c>
BW_tx1debt_max          25
BW_tx1cred_rate         0.095
BW_tx2debt_max          3000000
BW_tx2cred_rate         2500
</IfModule>
* I won't attempt to explain these parameters here, but you can find explanations here: http://www.topology.org/src/bwshare/README.html#config

mod_cband: Will limit users’ and virtualhosts’ bandwidth usage. The current versions can set virtualhosts’ and users’ bandwidth quotas, maximal download speed (like in mod_bandwidth), requests-per-second speed and the maximal number of simultaneous IP connections (like in mod_limitipconn)limit how much bandwidth can be consumed with in a specified amount of time from a specific directory or the whole site.
Once you've "apt-get install libapache2-mod-cband", and restarted apache2, you can enter one of the configurations below in the custom directives for each subdomain:

limit to 256k per user, 3 requests per second, 3 open connections and if they exceed they go down to 128k until they stop clicking on links for a few seconds:
<IfModule mod_cband.c>
CBandRemoteSpeed 256Kbps 3 3
CBandExceededSpeed 128kbps 2 3
</IfModule>
More examples here: http://dembol.org/blog/mod_cband/faq/

How to get all your mail going out of one IP address with POSTFIX

If you have multiple IPs (ETH0,ETH0:0, etc) running on a server with Postfix, chances are you are going to run into the problem of Postfix not using the mail IP that has the matching MX record to send mail.

When this happens most of the mail servers will label your mail as SPAM and/or reject it.

You can force Postfix to use the main servers IP address by adding the following lines to your /etc/postfix/main.cf:
smtp_bind_address = 1.1.1.1

*You would replace 1.1.1.1 with the main IP of your own server.
Restart Postfix with /etc/init.d/postfix restart

This might cause your mail to backup on the server if your have other services  that might need a configuration tweak to continue working correctly, check your mail queue with this:
postqueue -p

If you see mail backing up in that queue for failed connections to 127.0.0.1, then you might have to start making some tweaks. If not, then you should be OK.


If you have AMAVIS running on the server then you might need to make this tweak for AMAVIS to properly work. Create the file /etc/amavis/conf.d/60-custom. Add the following line:
@inet_acl = qw( 127.0.0.1 [::1] 1.1.1.1 );

Restart AMAVIS with /etc/init.d/amavis restart

Now check the Postfix queue with postqueue -p again. If there is any mail still there try flushing it out with postqueue -f. The recheck it after a couple of seconds with postqueue -p again. It should be all gone now.

Keeping the Botters, China and miscreants away.

On a daily basis I troll my FAIL2BAN mail folder to see who is "ding-dong diving", "n*gger knocking" or what-ever the term of the day is.

My Fail2Ban is setup to send me mail every-time it bans an IP. Repeat offenders get the firewall treatment. I run a filter to move the to a separate folder of the same name.

I end up using IP tables to block the repeat offenders. They are just wasting your precious resources.

This is what I use so far:

iptables -I INPUT -m iprange --src-range 107.160.0.0-107.160.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 111.72.0.0-111.79.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 114.96.0.0-114.103.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 120.192.0.0-120.255.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 121.254.128.0-121.254.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 163.177.0.0-163.177.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 183.0.0.0-183.63.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 185.60.229.0-185.60.229.255 -j DROP
iptables -I INPUT -m iprange --src-range 187.1.16.0-187.1.31.255 -j DROP
iptables -I INPUT -m iprange --src-range 189.213.72.1-189.213.79.254 -j DROP
iptables -I INPUT -m iprange --src-range 194.63.142.0-194.63.142.255 -j DROP
iptables -I INPUT -m iprange --src-range 219.234.174.0-219.234.174.191 -j DROP
iptables -I INPUT -m iprange --src-range 222.184.0.0-222.191.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 27.255.64.0-27.255.95.255 -j DROP
iptables -I INPUT -m iprange --src-range 59.99.0.0-59.99.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 60.166.0.0-60.175.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 61.176.0.0-61.176.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 80.82.64.0-80.82.79.255 -j DROP
iptables -I INPUT -m iprange --src-range 81.17.88.0-81.17.95.255 -j DROP
iptables -I INPUT -m iprange --src-range 89.248.174.0-89.248.174.127 -j DROP
iptables -I INPUT -m iprange --src-range 93.174.88.0-93.174.95.255 -j DROP
iptables -I INPUT -m iprange --src-range 192.99.0.0-192.99.255.255 -j DROP
iptables -I INPUT -m iprange --src-range 122.228.228.0-122.228.228.15 -j DROP
This has reduced my Fail2Ban folder from 45+ emails a day to 10 at most.

I still get the occasional flurry, but you firewall the IP range and your done.

I can handle sending out 10 abuse mail forwards a day.

Disabling root ssh is very good Idea

Found a few good sites with too much information: They all boil down to giving SUDO access to one of your other accounts and disabling ssh access for the root account. Your can still login as root through your datacenters provisioned KVM since it emulates a local keyboard and video display. In case you ever get locked out or your IP banned for some reason.

As a failsafe, you might consider putting the public IP of a trusted source in the
/etc/hosts.allow file in case you get locked out accidentally. That why you know that all you need to do is go to that place to restore access to your account. It could be your office's public IP, or campus university public IP, or just another server you have control over.

Once you have SUDO access on another account:
Just edit /etc/ssh/sshd_config and make sure this line PermitRootLogin no , reads as so.