Welcome to Centmin Mod Community
Become a Member

CSF Is there a limit of how many IPs can be blocked?

Discussion in 'Centmin Mod Insights' started by Jon Snow, Jan 7, 2018.

  1. Jon Snow

    Jon Snow Active Member

    Jun 30, 2017
    Local Time:
    1:50 PM
    Nginx 1.13.9
    MariaDB 10.1.31
    Is there a limit to how many IPs can be blocked with CSF firewall? Do the old IPs get nuked to make room for new IPs added in the future?

  2. Matt

    Matt Well-Known Member

    May 25, 2014
    Rotherham, UK
    Local Time:
    5:50 PM
    MariaDB 10.2
    Code (Text):
    # Limit the number of IP's kept in the /etc/csf/csf.deny file
    # Care should be taken when increasing this value on servers with low memory
    # resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
    # thousands) can sometimes cause network slowdown
    # The value set here is the maximum number of IPs/CIDRs allowed
    # if the limit is reached, the entries will be rotated so that the oldest
    # entries (i.e. the ones at the top) will be removed and the latest is added.
    # The limit is only checked when using csf -d (which is what lfd also uses)
    # Set to 0 to disable limiting
    # For implementations wishing to set this value significantly higher, we
    # recommend using the IPSET option
    DENY_IP_LIMIT = "4000"
    # Limit the number of IP's kept in the temprary IP ban list. If the limit is
    # reached the oldest IP's in the ban list will be removed and allowed
    # regardless of the amount of time remaining for the block
    # Set to 0 to disable limiting
    DENY_TEMP_IP_LIMIT = "5000"
  3. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    3:50 AM
    Nginx 1.25.x
    MariaDB 10.x
    There's both a system limit in general and that depends on the system hardware resources you have including cpu and memory as generally the more IPs you block and track, the more resources you potentially use and the slower the system can potentially become. You can reduce this impact if your have Linux Kernel's that have IPSET support which hash the IPs to allow the system to handle more IPs with less performance impact. Linux Kernels on non-OpenVZ systems can have IPSET support. Centmin Mod initial install detects if your Linux Kernel supports IPSET and enables it system wide and within CSF config file so CSF Firewall can handle much greater number of IPs than without. How many in theory is depending on your resources and hardware. But CSF Firewall sets a configurable limit in @Matt outlined DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT settings - one some of my clients higher end hardware I have 20-30K limits set without problem.

    CSF IPSET auto enabled if on non-OpenVZ systems Centmin Mod detects Linux Kernel support for IPSET - related text within CSF firewall's config file /etc/csf/csf.conf
    Code (Text):
    grep -B22 'LF_IPSET =' /etc/csf/csf.conf
    # ipset will only be used with the above options when listing IPs and CIDRs.
    # Advanced Allow Filters and temporary blocks use traditional iptables
    # Using ipset moves the onus of ip matching against large lists away from
    # iptables rules and to a purpose built and optimised database matching
    # utility. It also simplifies the switching in of updated lists
    # To use this option you must have a fully functioning installation of ipset
    # installed either via rpm or source from http://ipset.netfilter.org/
    # Note: Using ipset has many advantages, some disadvantages are that you will
    # no longer see packet and byte counts against IPs and it makes identifying
    # blocked/allowed IPs that little bit harder
    # Note: If you mainly use IP address only entries in csf.deny, you can increase
    # the value of DENY_IP_LIMIT significantly if you wish
    # Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
    # containers even if it has been installed
    # If you find any problems, please post on forums.configserver.com with full
    # details of the issue
    LF_IPSET = "1"

    Centmin Mod install routine also calculates how much memory your system has and auto adjusts the DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT settings in /etc/csf/csf.conf config file raising or lowering the default values based on system memory installed as a rough measure of resources available. More memory installed, higher the DENY_IP_LIMIT and DENY_TEMP_IP_LIMIT settings' limits.