Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Suggestion for Control host connections exceeded
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
I am off on "vacation" (an ancient word that means "working somewhere other than home") do cannot conveniently add a feature suggestion myself but:

Wouldn't it be helpful if the admin could easily set a rule that basically says to snap a log of all connections from the host that just exceeded that limit?


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
This came up because I just had it with a customer.

I was able to find it quickly because the activity was still going on, but that's not always the case - sometimes this stuff is bursty, hence my suggestion.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
Brian (GFI/Kerio)

Messages: 763
Karma: 75
Send a private message to this user
Why were you interested in knowing the activities of the offending host?
What was the corresponding course of action from you?
In this particular situation, was the offending host local/trusted to your network, was it a known remote host, or was it an anonymous remote host?

Brian Carmichael
Instructional Content Architect
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
Um, of course you need to know the activities to determine WHY it hit the connection limit!

In the case I had this morning, it was the mailserver but mail logs showed no unusual activity. Fortunately the activity was still going on so I was able to quickly identify it by setting Packet Dump in Debug to

addr=(mailserver internal ip) & port !=443 & port !=993 & port != 25

Turned out to be somebody in Turkey trying to hack Webmail.

In other cases, though, the evidence hasn't been present when I go to look. It would save a lot of effort if the thing just dumped a log at the time the limit is reached.

Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
  •  
Brian (GFI/Kerio)

Messages: 763
Karma: 75
Send a private message to this user
It does report to the security log, however it might be helpful to include the attempted protocol which caused the connection limit to become enforced for that host. This way you have a slightly better indication of what the offending host was trying to do.

Are you using the 8.6 version? In this release we have the ability to distinguish between peers and hosts. So in this case you could set separate values for a single peer, vs. connections for all peers. By default, each host is assigned a limit of 100 connections with a single peer, and 600 connections for all peers. So in your case, the offending host in Turkey would consume a max of 100 connections, allowing still 500 for other peers.

Brian Carmichael
Instructional Content Architect
  •  
pcunix

Messages: 594
Karma: 33
Send a private message to this user
No, he's on 8.5.

Yes, reporting the protocol makes sense. But dumping a log of all connections would tell more. That wouldn't be hard..


Tony Lawrence
Kerio Preferred Partner and Reseller
Certified for Connect, Control
http://aplawrence.com
Previous Topic: if uploading files larger than 50MB blocked
Next Topic: how to configure Kerio Control UTM by Command Line with ssh?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Oct 19 03:29:31 CEST 2017

Total time taken to generate the page: 0.00459 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.