DDOS/SYN flood prevention settings in CSF

How to prevent DOS Attack using CSF firewall?

CSF is iptables based firewall. It’s one of the most effective and is commonly used on Linux servers.

You can try eliminating DDOS attack to Apache using the following steps:

1. vim /etc/csf/csf.conf
2. CT_LIMIT= "60"

Here 60 is the max number connections from an IP to your server.

3. CT_PORTS = "80"

This option is used to specify the port for which you want prevent DDOS attack. Since our aim is to prevent the DDOS attack to Apache – port 80.

If you’ve done the steps above, CSF firewall will block all IPs that have 60 connections established to port 80 on your server.

Please note: In CT_PORTS you can specify the ports to be prevented for DDOS attack, like SMTP and POP3. It’s also possible to specify any number of ports in a comma separated format, like CT_PORTS=”80,25,110″

SYN FLOOD Protection

On a Linux server, you can check for SYN packets by running the following command over SSH:

netstat -n | grep SYN | wc -l

SYN FLOOD protection on CSF is disabled by default, if you are 100% sure you are getting SYN flooded you can enable it with some strict rules, for example:

SYNFLOOD = "1" // Enable SYNFLOOD protection
SYNFLOOD_RATE = "50/s" // Number of SYN packets to accept per IP, per second
SYNFLOOD_BURST = "10" // Number of times the IP can hit the rate limit before being blocked in the firewall

Just make sure you don’t set it too strict if you are not receiving an attack, otherwise it will generate false positives and will block legitimate connections.

Leave a Reply