I checked the file /etc/csf/csf.deny and the IP is in the list.
csf -h to look at help file to see how to grep ip to see if it's denied or allowed Code: csf -g IPADDRESS and check /etc/csf/csf.allow and /etc/csf/csf.deny Code: grep IPADDRESS /etc/csf/csf.allow grep IPADDRESS /etc/csf/csf.deny
Here it is Live Stats of ngxtop: I noticed the speed is lower compared before block IP. the attackers ip are both 23.95.208.107 and 23.95.208.108 both are blocked now Why not totally block?
what's ngxtop command you using ? if you have no-follow it's not live it's read from access.log so could be past entries they should be blocked.. you would need to look at http status codes as ngxtop could be reporting 403 access denied etc ??? but CSF should of blocked it before it hit nginx
Here it is the command I'm using: Code: ngxtop -l /home/nginx/domains/domainname.com/log/access.log top request remote_addr
Ok, Thanks boss. And how about block IP in Nginx, like this: Nginx Block And Deny IP Address OR Network Subnets
that's left up to you, you can do it that way but by the time it hits nginx probably too late.. you want to block it from one level higher at CSF Firewall level tried Code: ngxtop -l /home/nginx/domains/domainname.com/log/access.log top request remote_addr status
That's why Cloudflare is very useful Cloudflare can pretty detect this right away without affecting your system .
In my case, when the attack was on, and I activate cloudflare for testing purposes. The result are worst, very lag. The cloudflare security is on Medium. I have the free version of cloudflare.
I have this even Essentially Off That's not the one I'm talking, I mean Web Application Firewall that is only available for PRO plan and up.