Welcome to Centmin Mod Community
Become a Member

CSF Any Insights about CSF blocking dos attacks?

Discussion in 'Centmin Mod Insights' started by rdan, Oct 12, 2014.

  1. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
  2. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    email is set via variable LF_ALERT_TO in /etc/csf/csf.conf

    Code:
    grep ^LF_ALERT_TO /etc/csf/csf.conf
    LF_ALERT_TO = "youremail@yourdomain.com"
    
    All just trial and error testing, tweak and tune ;)

    relevant sections and information
    Code:
    ###############################################################################
    # SECTION:Connection Tracking
    ###############################################################################
    # Connection Tracking. This option enables tracking of all connections from IP
    # addresses to the server. If the total number of connections is greater than
    # this value then the offending IP address is blocked. This can be used to help
    # prevent some types of DOS attack.
    #
    # Care should be taken with this option. It's entirely possible that you will
    # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
    # and HTTP so it could be quite easy to trigger, especially with a lot of
    # closed connections in TIME_WAIT. However, for a server that is prone to DOS
    # attacks this may be very useful. A reasonable setting for this option might
    # be around 300.
    #
    # To disable this feature, set this to 0
    CT_LIMIT = "0"
    
    # Connection Tracking interval. Set this to the the number of seconds between
    # connection tracking scans
    CT_INTERVAL = "30"
    
    # Send an email alert if an IP address is blocked due to connection tracking
    CT_EMAIL_ALERT = "1"
    
    # If you want to make IP blocks permanent then set this to 1, otherwise blocks
    # will be temporary and will be cleared after CT_BLOCK_TIME seconds
    CT_PERMANENT = "0"
    
    # If you opt for temporary IP blocks for CT, then the following is the interval
    # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
    CT_BLOCK_TIME = "1800"
    
    # If you don't want to count the TIME_WAIT state against the connection count
    # then set the following to "1"
    CT_SKIP_TIME_WAIT = "0"
    
    # If you only want to count specific states (e.g. SYN_RECV) then add the states
    # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
    #
    # Leave this option empty to count all states against CT_LIMIT
    CT_STATES = ""
    
    # If you only want to count specific ports (e.g. 80,443) then add the ports
    # to the following as a comma separated list. E.g. "80,443"
    #
    # Leave this option empty to count all ports against CT_LIMIT
    CT_PORTS = ""
    
    Code:
    ###############################################################################
    # SECTION:Distributed Attacks
    ###############################################################################
    # Distributed Account Attack. This option will keep track of login failures
    # from distributed IP addresses to a specific application account. If the
    # number of failures matches the trigger value above, ALL of the IP addresses
    # involved in the attack will be blocked according to the temp/perm rules above
    #
    # Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 
    # LF_HTACCESS
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_DISTATTACK = "1"
    
    # Set the following to the minimum number of unique IP addresses that trigger
    # LF_DISTATTACK
    LF_DISTATTACK_UNIQ = "2"
    
    # Distributed FTP Logins. This option will keep track of successful FTP logins.
    # If the number of successful logins to an individual account is at least
    # LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
    # then all of the IP addresses will be blocked
    #
    # This option can help mitigate the common FTP account compromise attacks that
    # use a distributed network of zombies to deface websites
    #
    # A sensible setting for this might be 5, depending on how many different
    # IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
    #
    # To disable set to "0"
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_DISTFTP = "1"
    
    # Set the following to the minimum number of unique IP addresses that trigger
    # LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
    LF_DISTFTP_UNIQ = "6"
    
    # If this option is set to 1 the blocks will be permanent
    # If this option is > 1, the blocks will be temporary for the specified number
    # of seconds
    LF_DISTFTP_PERM = "1"
    
    # Distributed SMTP Logins. This option will keep track of successful SMTP
    # logins. If the number of successful logins to an individual account is at
    # least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
    # addresses, then all of the IP addresses will be blocked. These options only
    # apply to the exim MTA
    #
    # This option can help mitigate the common SMTP account compromise attacks that
    # use a distributed network of zombies to send spam
    #
    # A sensible setting for this might be 5, depending on how many different
    # IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
    #
    # To disable set to "0"
    LF_DISTSMTP = "0"
    
    # Set the following to the minimum number of unique IP addresses that trigger
    # LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
    LF_DISTSMTP_UNIQ = "3"
    
    # If this option is set to 1 the blocks will be permanent
    # If this option is > 1, the blocks will be temporary for the specified number
    # of seconds
    LF_DISTSMTP_PERM = "1"
    
    # This is the interval during which a distributed FTP or SMTP attack is
    # measured
    LF_DIST_INTERVAL = "300"
    
    # If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
    # path to a script, it will run the script and pass the following as arguments:
    #
    # LF_DISTFTP/LF_DISTSMTP
    # account name
    # log file text
    #
    # The action script must have the execute bit and interpreter (shebang) set
    LF_DIST_ACTION = ""
    
     
  4. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    What about this part:
    How to change it to postfix?
     
  5. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    All that I change for now is this only: CT_LIMIT = 100.
    If it can't stop dos attacks, then I will moved back to SYS.
     
  6. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Postfix symlinks to sendmail and vice versa, so you should be able to via postfix AFAIK if you set LF_ALERT_SMTP - try and see.

    Unfortunately, only so much you can do for DDOS protection at software level. So $20/month extra for DDOS protection not worth it for you to closer server location to your visitors ?
     
  7. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    With their Enterprise DDOS Protection my monthly would be $109 USD compare to SYS only $56 :confused:
     
  8. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Guess you have to ask yourself if +$53/month extra is worth it for your better Asian centric visitors browsing experience :)
     
  9. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    Better for them, not for me. hahaha.
     
  10. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    lol very true - it's a harder task catering for Asian audience with average hosting costs being higher :)
     
  11. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    I have this CT_INTERVAL = "30", CT_LIMIT only count per 30 seconds right?
    And I have CT_LIMIT = "100".

    So if my server got 101 connections from a single IP last 29 seconds it will automatically block that IP?
    And if I got 101 total connections last 60 seconds it will not block or trigger?
     
  12. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    Indeed, for US/UK/AU citizens, versaweb plans is cheap but for me from ASIA nah, it's not :/
    The only cheap for me is shared hosting that labeled unlimited storage/unlimited bandwidth hahah.
     
  13. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Threshold would be 100 ip connections within 30 second period. So yes 101 in 29 seconds = blocked and 101 connections spanning 60 seconds which is <100 connections within 30 seconds would be allowed (you could have 1 connection in 30 seconds and 100 in the remaining 30 seconds and get the block depending on how that 101 connections are made up).
     
  14. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    I adjusted the CT_LIMIT to 100 and change the PHP-FPM config so that it will not hog cpu much when under attack.
    Code:
    pm = dynamic
    pm.max_children = 8
    pm.start_servers = 4
    pm.min_spare_servers = 2
    pm.max_spare_servers = 6
    pm.max_requests = 500
    Looks like it helps :)

    I talked with the attacker now LoL
    We are now chatting on Shoutbox :D
    Hahaha, and I'm not wrong what i suspect last few days.
    They are the reason behind most big forums here in Philippines down for several days last week.

    One forum has 20M+ post with 800K members using VB4 down for several days, and another Pinoy forum with 10M+ post using SMF even both of them using Cloudflare Higher paid plans.
     
  15. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
  16. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:00 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    nice but be careful with
    Code:
    LF_DSHIELD = "86400"
    LF_SPAMHAUS = "86400"
    LF_BOGON = "86400"
    they can reduce network performance and have false positives and block legit users on dynamic IPs from reaching your web site
     
  17. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:00 PM
    Mainline
    10.2
    Yes, I didn't enable that part, I know for a single IP here in PH most likely hundreds are sharing :D