All systems should run on Debian 7 or newer, however officially Debian 7 is supported and tested.
- Consider using RBENV
- Compile requried ruby version
- Phusion passenger
- Postgresql (requires postgresql-contrib package)
Registry application is not tested with multi-threaded system (such as Puma) and it's not officially supported. Please use multi-process system instead (Passenger, Unicorn, Mongrel)
Use Phusion Passenger official debian packages NB! Passenger runtime does not depend on ruby version, thus you can use multiple different ruby version apps with same passenger install.
We also recommend to investigate Passenger Optimization Guide for proper configuration.
Please install following lib, otherwise your bundler install might not be successful.
sudo apt-get install libxml2-dev
sudo apt-get install libxrender1 libfontconfig1
cd /home/registry
git clone https://github.com/sstephenson/rbenv.git /home/registry/.rbenv
git clone https://github.com/sstephenson/ruby-build.git /home/registry/.rbenv/plugins/ruby-build
cd .rbenv
git pull origin master
cd plugins/ruby-build
git pull origin master
First increase the maximum possible value form 20 to 100 of the hitcount parameter. ip_pkt_list_tot of the xt_recent kernel module. Secondly change /proc/xt_recent/ permissions so, epp user can modify the tables. This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains:
options xt_recent ip_pkt_list_tot=100 ip_list_uid=eppuseruid ip_list_gid=eppusergid
Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system.
#!/bin/bash
iptables -A INPUT -p tcp --dport 443 -m recent --name repp --rcheck --seconds 60 --hitcount 25 -j DROP
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m recent --set --rsource --name repp -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m recent --name rwhois --rcheck --seconds 60 --hitcount 25 -j DROP
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --rsource --name rwhois -j ACCEPT
#!/bin/bash
iptables -A INPUT -p tcp --dport 43 -m recent --name whois --rsource --rcheck --seconds 60 --hitcount 25 -j LOG --log-prefix "whois limit: " --log-level warning
iptables -A INPUT -p tcp --dport 43 -m recent --name whois --rsource --rcheck --seconds 60 --hitcount 25 -j REJECT
iptables -A INPUT -p tcp --dport 43 -m recent --set --rsource --name whois -j ACCEPT
Iptables hitcounter is updated by application. For every registrar there is one recent table, where the request counters are stored, registrar handles and sources ips are "connected" with iptables rules.
#!/bin/bash
iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR_SOURCE -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP
iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR_SOURCE2 -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP
iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR2_SOURCE -m recent --name $REGISTRAR2_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP
iptables -A INPUT -p tcp --dport 700 -s $REGISTRAR2_SOURCE2 -m recent --name $REGISTRAR2_CODE --rdest --rcheck --hitcount 100 --seconds 60 -j DROP