Want to limit the total bandwidth available to a Linux server, and don’t want to do it at the switch or router? Here’s how!

Simply use the Linux traffic control tools as follows. First enter:

tc qdisc add dev eth0 root handle 1: cbq avpkt 1000 bandwidth 100mbit

Now enter the following line. This line sets the bandwidth rate; note the “256kbit”. This will limit our server to 256Kbps.

tc class add dev eth0 parent 1: classid 1:1 cbq rate 256kbit allot 1500 prio 5 bounded isolated

And lastly:

tc filter add dev eth0 parent 1: protocol ip prio 16 u32 match ip dst 0/0 flowid 1:1

For more informtation on how this works, type ‘man tc’ at your console.

The most common attack vector on Linux web servers, is to get something uploaded onto the server that can then be executed. Most of these automated attacks try to put their payload into /tmp, which is universally writable by any user, and then execute it.

But what if they couldn’t execute it?

This is an easy way to beef up your webserver server security a little. Create a 1GB partition on your system, and in your fstab file, add a “noexec flag” like so:

/dev/sda3 /tmp ext3 acl,user_xattr,noexec 1 1

Now, the system will prevent any executable in /tmp from being executed and thus sealing off the most common flaw that allows for most automated attacks to work.

No unallocated space on your disk and don’t want to risk resizing? Use a loopback filesystem.

/dev/loop0 /tmp ext3 acl,user_xattr,noexec 1 1