Get the most out of your Centmin Mod LEMP stack
Become a Member

CSF Whenever I have CSF on my packet loss goes through the roof

Discussion in 'Centmin Mod Insights' started by Tythus, Feb 24, 2015.

  1. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    5:26 PM
    it gets as high as 80% on TS3 I have whitelisted all of the related ports but it's still kicking off any thoughts on how to avoid this?

     
  2. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Got an example of the packet loss or commands or tools you are using to test this ?

    CSF Firewall rate limits pings in /etc/csf/csf.conf and limits to rate specified in ICMP_IN_RATE. It ain't packet loss just CSF Firewall protecting your server :)

    Code:
    # Allow incoming PING
    ICMP_IN = "1"
    
    # Set the per IP address incoming ICMP packet rate
    # To disable rate limiting set to "0"
    ICMP_IN_RATE = "1/s"
    
    # Allow outgoing PING
    ICMP_OUT = "1"
    
    # Set the per IP address outgoing ICMP packet rate (hits per second allowed),
    # e.g. "1/s"
    # To disable rate limiting set to "0"
    ICMP_OUT_RATE = "0"
    
     
  3. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    5:26 PM
    The application has an inbuilt packet loss detection system that tells me how many packets are being lost on both client and server side and it knows when packets were due.
     
  4. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    then if you can live with it, just disable ping rate limiting
    Code:
    # Set the per IP address incoming ICMP packet rate
    # To disable rate limiting set to "0"
    ICMP_IN_RATE = "1/s"
     
  5. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    5:26 PM
    makes no difference
     
  6. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    did you restart CSF after making change to ICMP_IN_RATE = "0" ?
     
  7. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    5:26 PM
    yes I made sure it was accepting my changes by adding an extra port and ping checking that port and it was visable
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    well then only other thing i can think of is your ip address could be temp banned or something ?

    so when you disable CSF no packet loss ? check the server's /var/log/messages and /var/log/lfd.log for clues

    if it's a known IP, have you whitelisted the IP and not just the ports ? Also try adding ip to /etc/csf/csf.ignore and restart CSF

    Is CSF stock configuration, or you enabled or altered other settings besides whitelisting IPs and ports ?
     
  9. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Also make sure if you use IPv6, to whitelist ports under TCP6_IN/TCP6_OUT and UDP6_IN and UDP6_OUT sections of /etc/csf/csf.conf

    Also maybe you're getting UDP OUT rate limited if you have UDP traffic

    in /etc/csf/csf.conf
    Code:
    # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
    # These typically originate from exploit scripts uploaded through vulnerable
    # web scripts. Care should be taken on servers that use services that utilise
    # high levels of UDP outbound traffic, such as SNMP, so you may need to alter
    # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
    #
    # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
    UDPFLOOD = "1"
    UDPFLOOD_LIMIT = "100/s"
    UDPFLOOD_BURST = "500"
    
    # This is a list of usernames that should not be rate limited, such as "named"
    # to prevent bind traffic from being limited.
    #
    # Note: root (UID:0) is always allowed
    UDPFLOOD_ALLOWUSER = "named nsd"
    
    Code:
    ###############################################################################
    # SECTION:Logging Settings
    ###############################################################################
    # Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
    --
    # the amount of log noise from dropped connections, but will affect options
    # such as Port Scan Tracking (PS_INTERVAL)
    DROP_ONLYRES = "0"
    
    # Commonly blocked ports that you do not want logging as they tend to just fill
    # up the log file. These ports are specifically blocked (applied to TCP and UDP
    # protocols) for incoming connections
    DROP_NOLOG = "111,113,135:139,445,500,513,520"
    
    # Log packets dropped by the packet filtering option PACKET_FILTER
    DROP_PF_LOGGING = "0"
    --
    # Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
    # this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
    # addresses breaking the Connection Limit Protection will be blocked
    CONNLIMIT_LOGGING = "0"
    
    # Enable logging of UDP floods. This should be enabled, especially with User ID
    # Tracking enabled
    UDPFLOOD_LOGGING = "1"
    
    # Send an alert if log file flooding is detected which causes lfd to skip log
    # lines to prevent lfd from looping. If this alert is sent you should check the
    # reported log file for the reason for the flooding
    LOGFLOOD_ALERT = "0"
    --
    # countries but still filter based on the port and packets rules. All other
    # connections are dropped
    CC_ALLOW_FILTER = ""
    
    # This option allows access from the following countries to specific ports
    # listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
    #
    # Note: The rules for this feature are inserted after the allow and deny
    # rules to still allow blocking of IP addresses
    #
    # Each option is a comma separated list of CC's, e.g. "US,GB,DE"
    CC_ALLOW_PORTS = ""
    
    # All listed ports should be removed from TCP_IN/UDP_IN to block access from
    # elsewhere. This option uses the same format as TCP_IN/UDP_IN
    #
    # An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
    # then only counties listed in CC_ALLOW_PORTS can access FTP
    CC_ALLOW_PORTS_TCP = ""
    CC_ALLOW_PORTS_UDP = ""
    
    # This option denies access from the following countries to specific ports
    # listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
    #
    # Note: The rules for this feature are inserted after the allow and deny
    # rules to still allow allowing of IP addresses
    #
    # Each option is a comma separated list of CC's, e.g. "US,GB,DE"
    CC_DENY_PORTS = ""
    
    # This option uses the same format as TCP_IN/UDP_IN. The ports listed should
    # NOT be removed from TCP_IN/UDP_IN
    #
    # An example would be to list port 21 here then counties listed in
    # CC_DENY_PORTS cannot access FTP
    CC_DENY_PORTS_TCP = ""
    CC_DENY_PORTS_UDP = ""
    
    # This Country Code list will prevent lfd from blocking IP address hits for the
    # listed CC's
    #
    # CC_LOOKUPS must be enabled to use this option
    --
    # 0:65535,ICMP,INVALID,OPEN covers all ports
    #
    # Special values are:
    #   ICMP    - include ICMP blocks (see ICMP_*)
    #   INVALID - include INVALID blocks (see PACKET_FILTER)
    #   OPEN    - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
    PS_PORTS = "0:65535,ICMP"
     
  11. Tythus

    Tythus Member

    61
    9
    8
    Aug 6, 2014
    Ratings:
    +12
    Local Time:
    5:26 PM
    Just tested a crazy higher UDP test and now everything is fine during normal usage. I'll tweak it back down to needed cheers for the help @eva2000
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,368
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    3:26 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+