Learn about Centmin Mod LEMP Stack today
Register Now

CSF Any Insights about CSF blocking dos attacks?

Discussion in 'Centmin Mod Insights' started by rdan, Oct 12, 2014.

  1. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
  2. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
  3. eva2000

    eva2000 Administrator Staff Member

    49,877
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    3:37 AM
    Nginx 1.21.x
    MariaDB 10.x
    email is set via variable LF_ALERT_TO in /etc/csf/csf.conf

    Code:
    grep ^LF_ALERT_TO /etc/csf/csf.conf
    LF_ALERT_TO = "youremail@yourdomain.com"
    
    All just trial and error testing, tweak and tune ;)

    relevant sections and information
    Code:
    ###############################################################################
    # SECTION:Connection Tracking
    ###############################################################################
    # Connection Tracking. This option enables tracking of all connections from IP
    # addresses to the server. If the total number of connections is greater than
    # this value then the offending IP address is blocked. This can be used to help
    # prevent some types of DOS attack.
    #
    # Care should be taken with this option. It's entirely possible that you will
    # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
    # and HTTP so it could be quite easy to trigger, especially with a lot of
    # closed connections in TIME_WAIT. However, for a server that is prone to DOS
    # attacks this may be very useful. A reasonable setting for this option might
    # be around 300.
    #
    # To disable this feature, set this to 0
    CT_LIMIT = "0"
    
    # Connection Tracking interval. Set this to the the number of seconds between
    # connection tracking scans
    CT_INTERVAL = "30"
    
    # Send an email alert if an IP address is blocked due to connection tracking
    CT_EMAIL_ALERT = "1"
    
    # If you want to make IP blocks permanent then set this to 1, otherwise blocks
    # will be temporary and will be cleared after CT_BLOCK_TIME seconds
    CT_PERMANENT = "0"
    
    # If you opt for temporary IP blocks for CT, then the following is the interval
    # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
    CT_BLOCK_TIME = "1800"
    
    # If you don't want to count the TIME_WAIT state against the connection count
    # then set the following to "1"
    CT_SKIP_TIME_WAIT = "0"
    
    # If you only want to count specific states (e.g. SYN_RECV) then add the states
    # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
    #
    # Leave this option empty to count all states against CT_LIMIT
    CT_STATES = ""
    
    # If you only want to count specific ports (e.g. 80,443) then add the ports
    # to the following as a comma separated list. E.g. "80,443"
    #
    # Leave this option empty to count all ports against CT_LIMIT
    CT_PORTS = ""
    
    Code:
    ###############################################################################
    # SECTION:Distributed Attacks
    ###############################################################################
    # Distributed Account Attack. This option will keep track of login failures
    # from distributed IP addresses to a specific application account. If the
    # number of failures matches the trigger value above, ALL of the IP addresses
    # involved in the attack will be blocked according to the temp/perm rules above
    #
    # Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 
    # LF_HTACCESS
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_DISTATTACK = "1"
    
    # Set the following to the minimum number of unique IP addresses that trigger
    # LF_DISTATTACK
    LF_DISTATTACK_UNIQ = "2"
    
    # Distributed FTP Logins. This option will keep track of successful FTP logins.
    # If the number of successful logins to an individual account is at least
    # LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
    # then all of the IP addresses will be blocked
    #
    # This option can help mitigate the common FTP account compromise attacks that
    # use a distributed network of zombies to deface websites
    #
    # A sensible setting for this might be 5, depending on how many different
    # IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
    #
    # To disable set to "0"
    #
    # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
    # this file about RESTRICT_SYSLOG before enabling this option:
    LF_DISTFTP = "1"
    
    # Set the following to the minimum number of unique IP addresses that trigger
    # LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
    LF_DISTFTP_UNIQ = "6"
    
    # If this option is set to 1 the blocks will be permanent
    # If this option is > 1, the blocks will be temporary for the specified number
    # of seconds
    LF_DISTFTP_PERM = "1"
    
    # Distributed SMTP Logins. This option will keep track of successful SMTP
    # logins. If the number of successful logins to an individual account is at
    # least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
    # addresses, then all of the IP addresses will be blocked. These options only
    # apply to the exim MTA
    #
    # This option can help mitigate the common SMTP account compromise attacks that
    # use a distributed network of zombies to send spam
    #
    # A sensible setting for this might be 5, depending on how many different
    # IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
    #
    # To disable set to "0"
    LF_DISTSMTP = "0"
    
    # Set the following to the minimum number of unique IP addresses that trigger
    # LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
    LF_DISTSMTP_UNIQ = "3"
    
    # If this option is set to 1 the blocks will be permanent
    # If this option is > 1, the blocks will be temporary for the specified number
    # of seconds
    LF_DISTSMTP_PERM = "1"
    
    # This is the interval during which a distributed FTP or SMTP attack is
    # measured
    LF_DIST_INTERVAL = "300"
    
    # If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
    # path to a script, it will run the script and pass the following as arguments:
    #
    # LF_DISTFTP/LF_DISTSMTP
    # account name
    # log file text
    #
    # The action script must have the execute bit and interpreter (shebang) set
    LF_DIST_ACTION = ""
    
     
  4. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    What about this part:
    How to change it to postfix?
     
  5. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    All that I change for now is this only: CT_LIMIT = 100.
    If it can't stop dos attacks, then I will moved back to SYS.
     
  6. eva2000

    eva2000 Administrator Staff Member

    49,877
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    3:37 AM
    Nginx 1.21.x
    MariaDB 10.x
    Postfix symlinks to sendmail and vice versa, so you should be able to via postfix AFAIK if you set LF_ALERT_SMTP - try and see.

    Unfortunately, only so much you can do for DDOS protection at software level. So $20/month extra for DDOS protection not worth it for you to closer server location to your visitors ?
     
  7. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    With their Enterprise DDOS Protection my monthly would be $109 USD compare to SYS only $56 :confused:
     
  8. eva2000

    eva2000 Administrator Staff Member

    49,877
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    3:37 AM
    Nginx 1.21.x
    MariaDB 10.x
    Guess you have to ask yourself if +$53/month extra is worth it for your better Asian centric visitors browsing experience :)
     
  9. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    Better for them, not for me. hahaha.
     
  10. eva2000

    eva2000 Administrator Staff Member

    49,877
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    3:37 AM
    Nginx 1.21.x
    MariaDB 10.x
    lol very true - it's a harder task catering for Asian audience with average hosting costs being higher :)
     
  11. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    I have this CT_INTERVAL = "30", CT_LIMIT only count per 30 seconds right?
    And I have CT_LIMIT = "100".

    So if my server got 101 connections from a single IP last 29 seconds it will automatically block that IP?
    And if I got 101 total connections last 60 seconds it will not block or trigger?
     
  12. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    Indeed, for US/UK/AU citizens, versaweb plans is cheap but for me from ASIA nah, it's not :/
    The only cheap for me is shared hosting that labeled unlimited storage/unlimited bandwidth hahah.
     
  13. eva2000

    eva2000 Administrator Staff Member

    49,877
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    3:37 AM
    Nginx 1.21.x
    MariaDB 10.x
    Threshold would be 100 ip connections within 30 second period. So yes 101 in 29 seconds = blocked and 101 connections spanning 60 seconds which is <100 connections within 30 seconds would be allowed (you could have 1 connection in 30 seconds and 100 in the remaining 30 seconds and get the block depending on how that 101 connections are made up).
     
  14. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    I adjusted the CT_LIMIT to 100 and change the PHP-FPM config so that it will not hog cpu much when under attack.
    Code:
    pm = dynamic
    pm.max_children = 8
    pm.start_servers = 4
    pm.min_spare_servers = 2
    pm.max_spare_servers = 6
    pm.max_requests = 500
    Looks like it helps :)

    I talked with the attacker now LoL
    We are now chatting on Shoutbox :D
    Hahaha, and I'm not wrong what i suspect last few days.
    They are the reason behind most big forums here in Philippines down for several days last week.

    One forum has 20M+ post with 800K members using VB4 down for several days, and another Pinoy forum with 10M+ post using SMF even both of them using Cloudflare Higher paid plans.
     
  15. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
  16. eva2000

    eva2000 Administrator Staff Member

    49,877
    11,487
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,839
    Local Time:
    3:37 AM
    Nginx 1.21.x
    MariaDB 10.x
    nice but be careful with
    Code:
    LF_DSHIELD = "86400"
    LF_SPAMHAUS = "86400"
    LF_BOGON = "86400"
    they can reduce network performance and have false positives and block legit users on dynamic IPs from reaching your web site
     
  17. rdan

    rdan Well-Known Member

    5,398
    1,354
    113
    May 25, 2014
    Ratings:
    +2,128
    Local Time:
    1:37 AM
    Mainline
    10.2
    Yes, I didn't enable that part, I know for a single IP here in PH most likely hundreds are sharing :D