Discover Centmin Mod today
Register Now

Featured CSF Insight Guide CSF Firewall Port Flood Blocking Pure-FTPD Connections

Discussion in 'Centmin Mod Insights' started by eva2000, May 3, 2018.

Thread Status:
Not open for further replies.
  1. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    4:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    If you are having pure-ftpd disconnection or connection issues when uploading many files at once, it could be CSF Firewall's DDOS protection for Port Flooding in play. You can verify this by doing a grep filter of your /var/log/messages log to see if there are entries with your IP address listed.

    Where you replace 184.105.xxx.xxx with your ISP IP address or the IP address of user who is having issues uploading via pure-ftpd virtual FTP user
    Code (Text):
    grep -n 'Port Flood' /var/log/messages | grep '184.105.xxx.xxx'
    

    If you're behind a VPN or proxy on your connection to pure-ftpd, your ISP IP address maybe masked so you can check to see what IP address your server is seeing for your SSH session using command below:
    Code (Text):
    echo $SSH_CLIENT
    

    example output where your IP detected is the 1st column of ouput i.e. 184.105.xxx.xxx
    Code (Text):
    echo $SSH_CLIENT
    184.105.xxx.xxx 54021 22
    

    If there are entries that are returned from the grep filter, then your pure-ftpd disconnection or connection issues are related to PORTFLOOD protection in CSF Firewall /etc/csf/csf.conf settings.

    You're hitting CSF Firewall Port Flood protection limits. Ideally, you want to limit your FTP clients max concurrent transfer limits and/or instead of uploading individual files, upload a zip file with all files then extract and move the files in place on server via SSH. Example of extracting a zip file via SSH can be seen in step 3 of Xenforo 2 setup. You can practice doing zip upload/extraction etc on test site domain until you are familiar with it.

    Relevant settings in CSF Firewall /etc/csf/csf.conf settings file
    Code (Text):
    grep -C35 '# Port Flood Protection' /etc/csf/csf.conf
    
    ###############################################################################
    # SECTION:Port Flood Settings
    ###############################################################################
    # Enable SYN Flood Protection. This option configures iptables to offer some
    # protection from tcp SYN packet DOS attempts. You should set the RATE so that
    # false-positives are kept to a minimum otherwise visitors may see connection
    # issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
    # man page for the correct --limit rate syntax
    #
    # Note: This option should ONLY be enabled if you know you are under a SYN
    # flood attack as it will slow down all new connections from any IP address to
    # the server if triggered
    SYNFLOOD = "0"
    SYNFLOOD_RATE = "100/s"
    SYNFLOOD_BURST = "150"
    
    # Connection Limit Protection. This option configures iptables to offer more
    # protection from DOS attacks against specific ports. It can also be used as a
    # way to simply limit resource usage by IP address to specific server services.
    # This option limits the number of concurrent new connections per IP address
    # that can be made to specific ports
    #
    # This feature does not work on servers that do not have the iptables module
    # xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
    # server admins should check with their VPS host provider that the iptables
    # module is included
    #
    # For further information and syntax refer to the Connection Limit Protection
    # section of the csf readme.txt
    #
    # Note: Run /etc/csf/csftest.pl to check whether this option will function on
    # this server
    CONNLIMIT = ""
    
    # Port Flood Protection. This option configures iptables to offer protection
    # from DOS attacks against specific ports. This option limits the number of
    # new connections per time interval that can be made to specific ports
    #
    # This feature does not work on servers that do not have the iptables module
    # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
    # server admins should check with their VPS host provider that the iptables
    # module is included
    #
    # For further information and syntax refer to the Port Flood Protection
    # section of the csf readme.txt
    #
    # Note: Run /etc/csf/csftest.pl to check whether this option will function on
    # this server
    PORTFLOOD = "21;tcp;5;300"
    
    # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
    # These typically originate from exploit scripts uploaded through vulnerable
    # web scripts. Care should be taken on servers that use services that utilise
    # high levels of UDP outbound traffic, such as SNMP, so you may need to alter
    # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
    #
    # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
    UDPFLOOD = "1"
    UDPFLOOD_LIMIT = "100/s"
    UDPFLOOD_BURST = "500"
    
    # This is a list of usernames that should not be rate limited, such as "named"
    # to prevent bind traffic from being limited.
    #
    # Note: root (UID:0) is always allowed
    UDPFLOOD_ALLOWUSER = "named nsd"
    
    ###############################################################################
    # SECTION:Logging Settings
    ###############################################################################
    

    specifically this part
    Code (Text):
    # Port Flood Protection. This option configures iptables to offer protection
    # from DOS attacks against specific ports. This option limits the number of
    # new connections per time interval that can be made to specific ports
    #
    # This feature does not work on servers that do not have the iptables module
    # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
    # server admins should check with their VPS host provider that the iptables
    # module is included
    #
    # For further information and syntax refer to the Port Flood Protection
    # section of the csf readme.txt
    #
    # Note: Run /etc/csf/csftest.pl to check whether this option will function on
    # this server
    PORTFLOOD = "21;tcp;5;300"
    

    from CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS linked CSF Firewall readme file https://download.configserver.com/csf/readme.txt - section 16. Port Flood Protection
    By default ipt_recent tracks only the last 100 IP addresses. The tracked IP
    addresses can be viewed in /proc/net/ipt_recent/* where the port number is the
    filename. Seems on my server that is at /proc/net/xt_recent i.e. for TCP port 21 the tracking IP file would be at /proc/net/xt_recent/21.

    You can check if your server supports ipt_recent using csftest.pl script
    Code (Text):
    /etc/csf/csftest.pl
    

    Code (Text):
    /etc/csf/csftest.pl
    Testing ip_tables/iptable_filter...OK
    Testing ipt_LOG...OK
    Testing ipt_multiport/xt_multiport...OK
    Testing ipt_REJECT...OK
    Testing ipt_state/xt_state...OK
    Testing ipt_limit/xt_limit...OK
    Testing ipt_recent...OK
    Testing xt_connlimit...OK
    Testing ipt_owner/xt_owner...OK
    Testing iptable_nat/ipt_REDIRECT...OK
    Testing iptable_nat/ipt_DNAT...OK
    


    Viewing contents of xt_recent tracked TCP port 21 file at
    Code (Text):
    cat /proc/net/xt_recent/21
    

    If IP address listed in that xt_recent TCP port 21 tracking file, and need to remove it type the following where IP address 184.105.xxx.xxx is prefixed with a minus
    Code (Text):
    cd /proc/net/xt_recent
    echo -184.105.xxx.xxx >/proc/net/xt_recent/21
    

    recheck if IP address was removed
    Code (Text):
    cat /proc/net/xt_recent/21
    

    Real example
    Code (Text):
    cat /proc/net/xt_recent/21
    src=81.171.75.98 ttl: 51 last_seen: 63306840806 oldest_pkt: 1 63306840806
    src=82.103.134.118 ttl: 51 last_seen: 63285238554 oldest_pkt: 1 63285238554
    src=184.105.247.208 ttl: 246 last_seen: 63313924669 oldest_pkt: 1 63313924669
    src=109.229.176.189 ttl: 117 last_seen: 63317929476 oldest_pkt: 1 63317929476
    src=184.105.247.196 ttl: 55 last_seen: 63313991219 oldest_pkt: 1 63313991219
    src=209.126.136.4 ttl: 53 last_seen: 63314503586 oldest_pkt: 2 63314503581, 63314503586
    

    If you want to know who the IPs belong to
    Code (Text):
    awk '{print $1}' /proc/net/xt_recent/21 | awk -F '=' '{print $2}' | while read i; do curl -s https://ipinfo.io/$i 2>&1 | egrep -v 'loc": |postal": ' | sed -e 's| "ip": | |' -e 's| "hostname": | |' -e 's|{| |' -e 's|}||' | xargs; done
    

    output
    Code (Text):
    awk '{print $1}' /proc/net/xt_recent/21 | awk -F '=' '{print $2}' | while read i; do curl -s https://ipinfo.io/$i 2>&1 | egrep -v 'loc": |postal": ' | sed -e 's| "ip": | |' -e 's| "hostname": | |' -e 's|{| |' -e 's|}||' | xargs; done
    81.171.75.98, 81-171-75-98.ipvanish.com, city: Frankfurt am Main, region: Hesse, country: DE, org: AS12989 StackPath LLC
    82.103.134.118, e82-103-134-118s.easyspeedy.dk, city: Risskov, region: Central Jutland, country: DK, org: AS30736 ASERGO Scandinavia ApS
    184.105.247.208, 208.192-26.247.105.184.in-addr.arpa, city: Ogden, region: Utah, country: US, org: AS6939 Hurricane Electric LLC
    109.229.176.189, city: Petropawlowsk, region: North Kazakhstan, country: KZ, org: AS51997 LLP Asket
    184.105.247.196, 196.192-26.247.105.184.in-addr.arpa, city: Ogden, region: Utah, country: US, org: AS6939 Hurricane Electric LLC
    209.126.136.4, city: Ann Arbor, region: Michigan, country: US, phone: 734, org: AS10439 CariNet, Inc.
    


    From CSF Firewall settings there's a default PORTFLOOD check against FTP port 21 for security. If more than 5 connections to tcp port 21 within 300 seconds, then block that IP address from port 21 for at least 300 seconds after the last packet is seen, i.e. there must be a "quiet" period of 300 seconds before the block is lifted
    Code (Text):
    PORTFLOOD = "21;tcp;5;300"
    

    So check how many simultaneous download/upload connections is set in your FTP/SFTP client shown.

    For Filezilla, those settings are under Settings -> Transfers (Concurrent transfers) section. Here there's unlimited concurrent download/uploads with 10 max simultaneous transfers.

    [​IMG]

    If you want to use say max 10 concurrent transfers, you would backup CSF Firewall settings file /etc/csf/csf.conf and edit it to raise it from 5 hit count to 10 (max supported is 20 value)

    CSF Firewall backup to file named b4-portflood-edit and list the backups
    Code (Text):
    csf --profile backup b4-portflood-edit
    csf --profile list
    

    example
    Code (Text):
    csf --profile backup b4-portflood-edit
    Creating backup...
    `/etc/csf/csf.conf' -> `/var/lib/csf/backup/1525327615_b4_portflood_edit'
    
    csf --profile list
    
    Configuration Profiles
    ======================
    block_all_perm
    block_all_temp
    disable_alerts
    protection_high
    protection_low
    protection_medium
    reset_to_defaults
    
    Configuration Backups
    =====================
    1525327615_b4_portflood_edit (Thu May  3 06:06:55 2018)
    1525253709_cmm_default_tweaked (Wed May  2 09:35:09 2018)
    1525253709_cmm_before_ptload_action (Wed May  2 09:35:09 2018)
    1525253707_initial_default (Wed May  2 09:35:07 2018)
    1525253706_pre_v12_03_upgrade (Wed May  2 09:35:06 2018)
    

    Edit PORTFLOOD settings raising hit count from 5 to 10. You can use grep on /etc/csf/csf.conf to see the current value set for PORTFLOOD
    Code (Text):
    grep 'PORTFLOOD = ' /etc/csf/csf.conf
    

    example output
    Code (Text):
    grep 'PORTFLOOD = ' /etc/csf/csf.conf
    PORTFLOOD = "21;tcp;5;300"
    

    Then edit /etc/csf/csf.conf either manually to
    Code (Text):
    PORTFLOOD = "21;tcp;10;300"
    

    or via sed replacement edit
    Code (Text):
    sed -i 's|PORTFLOOD = "21;tcp;5;300"|PORTFLOOD = "21;tcp;10;300"|' /etc/csf/csf.conf
    

    use previous grep command to verify the changes made by sed
    Code (Text):
    grep 'PORTFLOOD = ' /etc/csf/csf.conf                                                          
    PORTFLOOD = "21;tcp;10;300"
    

    restart CSF Firewall
    Code (Text):
    csf -ra
    

    If you need to restore from the backup you made the previous settings use these commands.

    The profile list will list csf profile backups look for listing name containing _b4_portflood_edit i.e. 1525327615_b4_portflood_edit and use that in restore command and then restart CSF Firewall
    Code (Text):
    csf --profile list
    csf --profile restore 1525327615_b4_portflood_edit
    csf -ra
    


    Next edit your FTP client's max concurrent transfers to limit them to 10. For Filezilla that would be like

    [​IMG]

    You can count how many concurrent pure-ftpd connections are being used server wide when uploading via pure-ftpd virtual ftp user. Assuming you're only user doing uploads, that number would be your concurrent pure-ftpd connections number.

    In SSH use command for manipulating output for CSF Firewall command, csf -p which list current connections to server. The command below grep filters for pure-ftpd connections and further grep filters for nginx user and then counts the number via wc -l then divides that number by 2 as the list shows both outbound and inbound connections and then minus 1 for the initial established pure-ftpd connection
    Code (Text):
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    

    So for multiple file uploads via pure-ftpd virtual ftp user, if you run this command a few times you will get the number of connections. With above Filezilla max set to 10, you would see something like this after a few runs of the command
    Code (Text):
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    5
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    10
    echo $(($(csf -p | grep pure-ftpd | grep nginx | wc -l)/2-1))
    10
    

    If you want view the actual connections instead of just the number use commands below:

    Commnd output when you are idly connected to pure-ftpd without any file transfers, you will see inbound and outbound connection listed
    Code (Text):
    csf -p | grep pure-ftpd | grep nginx
    

    example output - inbound to TCP port 21 and outbound to TCP port 48970
    Code (Text):
    csf -p | grep pure-ftpd | grep nginx
    21/tcp     4/-  1     (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    48970/tcp  4/-  0     (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    

    when actively or right after multiple file uploads via pure-ftpd virtual ftp user. The 11 mans 11 connections which are initial connection + 10 max concurrent = 11
    Code (Text):
    csf -p | grep pure-ftpd | grep nginx
    21/tcp     4/-  11    (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31915/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31917/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31918/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31919/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31923/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31925/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31926/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31929/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31930/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    21/tcp     4/-  11    (31933/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    30293/tcp  4/-  0     (31930/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    30324/tcp  4/-  0     (31933/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    31904/tcp  4/-  0     (31926/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    32775/tcp  4/-  0     (31919/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    35805/tcp  4/-  0     (31429/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    37105/tcp  4/-  0     (31915/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    37658/tcp  4/-  0     (31925/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    42541/tcp  4/-  0     (31917/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    43726/tcp  4/-  0     (31929/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    45697/tcp  4/-  0     (31918/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    49106/tcp  4/-  0     (31923/nginx)        pure-ftpd (IDLE)                        /usr/sbin/pure-ftpd
    

     
  2. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    4:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    As at May 4, 2018 the PORTFLOOD limit for new Centmin Mod 123.09beta01 and newer versions has been raised from hit count of 5 to 20 which is the max supported value.

    Changing default out of box from
    Code (Text):
    PORTFLOOD = "21;tcp;5;300"
    

    to
    Code (Text):
    PORTFLOOD = "21;tcp;20;300"
    

    Existing Centmin Mod installs, will need to manually adjust their settings if they want as per above outlined guide.

    If you need a higher limit than the max hit count of 20, you can adjust and lower the threshold interval instead.

    max 20 hits over 100 seconds interval, would mean over 300 seconds = 3x20 = ~60 hits
    Code (Text):
    PORTFLOOD = "21;tcp;20;100"
    

    max 20 hits over 50 seconds interval, would mean over 300 seconds = 6x20 = ~120 hits
    Code (Text):
    PORTFLOOD = "21;tcp;20;50"
    

    max 20 hits over 25 seconds interval, would mean over 300 seconds = 12x20 = ~240 hits
    Code (Text):
    PORTFLOOD = "21;tcp;20;25"
    
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,333
    7,979
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,287
    Local Time:
    4:12 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Updated Centmin Mod 123.09beta01 with new variables to custom CSF Firewall PORTFLOOD values Beta Branch - Add csf_portflood function to override defaults

    Defaults settings below can be customised and placed in persistent config file /etc/centminmod/custom_config.inc which will be triggered on next centmin.sh call/trigger.
    Code (Text):
    #####################################################
    # CSF FIREWALL
    # PORTFLOOD Configuration
    # https://community.centminmod.com/threads/14708/
    # Setting CSFPORTFLOOD_OVERRIDE='y' allows you to
    # override default CSF Firewall PORTFLOOD values set
    # by Centmin Mod initial install. If end user made
    # custom changes to PORTFLOOD values, the override
    # will not work. Override only works if end user has
    # not made custom changes to PORTFLOOD values to ensure
    # end users customisations do not get overwritten
    CSFPORTFLOOD_OVERRIDE='n'
    # max hit count value allowed is 20
    PORTFLOOD_COUNT=20
    # lowering interval in seconds allows for more
    # port flood hits against default TCP port 21
    PORTFLOOD_INTERVAL=300
    
     
..
Thread Status:
Not open for further replies.