Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!
« previous next »
Pages: [1]   Go Down

Author Topic: Configure CSF To Prevent DDoS Attacks  (Read 2779 times)

0 Members and 1 Guest are viewing this topic.

sujitht

  • Guest
Configure CSF To Prevent DDoS Attacks
« on: July 29, 2017, 03:54:14 pm »
Configure CSF To Prevent DDoS Attacks
====================================

Most of the cPanel servers will use Config Server Firewall(CSF) settings to prevent their servers. Here, I am going to provide some steps to manage a DDoS attack by tweaking the features in the CSF settings.
To check server is under DDoS attack:
-------------------------------------
You can run the below commands to check whether the server is under attack or not.

To show number of connections and IP address
Code: [Select]
netstat -alpn | grep :80 | awk '{print $4}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -n

If the server has more IP address configured in it, then the above result will help you to find which server IP is under attack.

if the result is huge such as 1000, then you can suppose that the server is under DDoS attack
Tweaking the CSF settings:

1) Open CSF config file.

Code: [Select]
vi /etc/csf/csf.conf

2) Restricting number of simultaneous connections from a single IP would be quite effective in managing DDOS attacks. So reduce the value of CT_Limit to a reasonable range . Here I am changing it to 50

CT_LIMIT=50

3) Change the connection tracking interval CT_INTERVAL

CT_INTERVEAL=30

Here, the connection tracking value is set to 30 seconds which is recommendable. If you decrease the interval to some lower value, then there will be a chance to generate false positives and will block legit connections.

4) To enable protection for particular port, you can specify them in the configuration variable ‘CT_PORTS’. For eg. In majority of the cases DDOS will be targeted to webserver and DNS server.  So the port numbers to be specified during such instances for a default installation are 80 and 53.

In the below example I am tweaking the protection for webserver both for normal and ssl connections

CT_PORTS=80,443


5) By default, SYNFLOOD (SYNFLOOD = “0”) is disabled in CSF. If the server is under SYNFLOOD attack, you make it enable temporarily as below.

 SYNFLOOD = “1"
SYNFLOOD_RATE = “30/s”
SYNFLOOD_BURST = “30"

If 30 connections are received from an IP/sec for 30 times, then it will block the concern IP. You can adjust the SYNFLOOD_BURST rate depends on your server.

6. You can set limit for the number of connections to particular port  by altering the value “CONLIMIT”.

CONNLIMIT = 80;20,443;15


7. Then restart csf

Code: [Select]
/etc/init.d/csf restart

or
Code: [Select]
csf -r
Logged
Pages: [1]   Go Up
« previous next »