Configuring connection limits
Host connection limits in Kerio Control 9.0 and later
Limiting the number of TCPTransmission Control Protocol - ensures packet transmission. and UDPUser Datagram Protocol - ensures packet transmission. connections within your network helps protect your business against denial of service (DoSDenial of Service - An attack that can overload the server and makes it unavailable to users.) attacks.
You can set connection limits based on:
- A source IP addressAn identifier assigned to devices connected to a TCP/IP network. (the host initiating the connection)
- A destination IP address (the host the connection is made to)
Kerio Control lets you create exceptions to change the limits or disable limits for specific address groups.
Kerio Control keeps track of the number of connections made from, or to, each active host in the network. For more information refer to Monitoring active hosts. It also blocks connections from malicious hosts.
Kerio Control connection limits apply to both IPv4Version 4 of the Internet Protocol. and IPv6Version 6 of the Internet Protocol. IP addresses.
The connection limits are enabled and set to the values shown here by default:
- Limit maximum concurrent connections from 1 source IP address: 600
- Limit new connections per minute from 1 source IP address: 600
- Limit maximum concurrent inbound connections to 1 destination IP address: 1200
- Limit maximum concurrent inbound connections to 1 destination IP address from the same source: 100
After reaching the connection limit, Kerio Control breaks other connections to/from the host and creates an entry in the warning log.
NOTE
Kerio Control can send system alerts to your email address if a host reaches a connection limit. For more information refer to Using alert messages.
Changing default values
- In the administration interface, go to Security Settings > Connection Limits.
- Change the limits as needed.
- Click Apply.
NOTE
To return to the default state, click Reset.
Disabling connection limits
- In the administration interface, go to Security Settings > Connection Limits
- Clear all check boxes.
- Click Apply.
Kerio Control disables host connection limits.
Excluding an IP address group from all connection limits
To remove connection limits for a specified group of IP addresses, add an exception:
- In the administration interface, go to Definitions > IP Address Groups.
- Add a new group with all the hosts for which you want different connection limits.
- Go to Security Settings > Connection Limits.
- Select Use different settings for any connection from/to this IP address.
- Select the new IP address group from the drop-down list.
- Click Apply.
Kerio Control excludes the IP address group from connection limits.
Setting different limits for specific IP address groups
To set different limits for any connection from/to a specific IP address group:
- In the administration interface, go to Definitions > IP Address Groups.
- Add a new group with all the hosts you want to exclude from counting connection limits.
- Go to Security Settings > Connection Limits.
- Select Use different settings for any connection from/to this IP address.
- Select the new IP address group from the drop-down list.
- Select Limit maximum concurrent connections from 1 source IP address and set a new limit.
- Select Limit new connections per minute from 1 source IP address and set a new limit.
- Click Apply.
Kerio Control changes the limits for the excluded IP addresses.
Host connection limits in Kerio Control 8.6.2 and earlier
Kerio Control counts the number of connections for each active host and its peers in the Kerio Control network.
Note that in this article:
- Host means any active host in Kerio Control.
- Peer means the computer communicating with any active host in the Kerio Control network.
Kerio Control blocks connections from infected hosts or peers. All connections to infected hosts and peers are allowed.
After reaching the connection limit, Kerio Control breaks other connections to/from the host and creates an entry in the warning log.
NOTE
Kerio Control can send system alerts to your email address if a host reaches a connection limit. For more information refer to Using alert messages.
Kerio Control applies connection limits to both IPv4 and IPv6 addresses.
The following connection limits are set by default:
- Single peer (to/from): 100 connections.
- All peers (to/from): 600 connections.
- All peers per minute (to/from): disabled.
Changing default values
- In the administration interface, go to Security Settings > Miscellaneous.
- Change the limits as needed.
NOTE
Incoming and outgoing connections are counted separately.
- Click Apply.
Disabling connection limits
- In the administration interface, go to Security Settings > Miscellaneous
- Deselect Enable connection limit per host.
- Click Apply.
Kerio Control disables host connection limits.
Excluding hosts from restrictions
If you have servers placed behind Kerio Control, you may need to increase or decrease their limits.
Specify exceptions using an IP address group:
- In the administration interface, go to Definitions > IP Address Groups.
- Add a new group with all the hosts you want to exclude from counting connection limits.
- Go to Security Settings > Miscellaneous.
- Select Apply different limits for, and then select the new IP address group.
- Set the limit for a single peer to 50.
- Set the limit for all peers to 1000.
- Click Apply.
Kerio Control excludes the hosts in the group from connection limits.