CSF firewall

How to prevent DDOS attack by CSF firewall?

Ananda Raj Pandey8 Comments

Preventing DDOS attack from csf firewall.

First make sure DDOS attack is not from open recursive DNS settings. To check and fix that issue please read this article – Preventing DDOS aplification open resolver attack

This article is to set CSF firewall so that any DDOS intentional attack to your server can be prevented.

 

Step 1: open and edit CSF config file. 

vi /etc/csf/csf.conf

 

Settings: 

Enable connection tracking.
CT_LIMIT is max number of connection allowed from one IP, you can set this value as per your server requirement.

CT_LIMIT =100

Set connection tracking interval.

CT_INTERVAL =30

If you want to get possible ddos attack email then enable it.

CT_EMAIL_ALERT =1

If you want to make IP blocks permanent then set this to 1, otherwise blocks
will be temporary and will be cleared after CT_BLOCK_TIME seconds

CT_PERMANENT = 1

If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)

CT_BLOCK_TIME = 1800

If you only want to count specific ports (e.g. 80,443) then add the ports
to the following as a comma separated list. E.g. “80,443”

CT_PORTS = 80,23,443

 

These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.

 

Step 2: Enable distributed attacks

LF_DISTATTACK = 1  

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK

LF_DISTATTACK_UNIQ = 2

 

Step 3: Enable distributed FTP attacks

LF_DISTFTP = 1

 

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work

LF_DISTFTP_UNIQ = 3

 

If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds

LF_DISTFTP_PERM =1

 

Step 4: Enable distributed SMTP attacks.

 

LF_DISTSMTP =1

 

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work

LF_DISTSMTP_UNIQ =4

 

If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds

LF_DISTSMTP_PERM =1

 

This is the interval during which a distributed FTP or SMTP attack is
measured

LF_DIST_INTERVAL = 300

How to setup CSF firewall in linux

Ananda Raj PandeyLeave a comment

CSF Firewall setup:

CSF is very popular firewall. It comes with lots of prebuilt features and most of the case just doing simple installation
will protect server from many known issues. Please check http://configserver.com/cp/csf.html to see all the options and features
available.

Installation

rm -fv csf.tgz

wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

basic configuration:

port settings:
By default following ports are opened:

TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
TCP_OUT = "20,21,22,25,53,80,110,113,443"
UDP_IN = "20,21,53"
UDP_OUT = "20,21,53,113,123"
We can remove any port or add any port as per our requirement.
 some important ports to be considered :
 10000 // webmin default port
 2087,2083,2086 // cpanel ports
 26 // some server use 26 as outgoing mail server to by pass ISP limitation.

So based on your requirement, please add necessary ports.

to edit the ports open any editor like vim:
 vi /etc/csf/csf.conf

and dont forget to restart

service csf restart
 Blocking predefined IPs:
 vi /etc/csf/csf.deny
1.2.3.4
 198.168.0.0/16
 Allowing predefined IPS:
vi /etc/csf/csf.allow

edit above file as per requirement to deny or allow predefined ips.

Ips can be single ip per line or range per line as above.

Once all the settings are done, we can set testing mode to live mode by
 setting

 TESTING = 0
 and restarting the csf by
 service csf restart

Basic commands:
Csf comes with lots of command line command, simply typing csf on command line will show all the available
commands but some frequently used commands are:

csf -d <ip adress to block>
 csf -a <ip address to allow / unblock>
 csf -r <reload rules>