Hello
If an IP starts gobbling up server resources by hitting a website multiple times, can we use CSF to rate limit them ? What I mean is, to slow the resource allocation to that IP if it is hitting the server multiple times.
I currently have an Apache box with linux CentOS7 and I also use Mod Sec.
CSF can help with rate limiting ?
-
FutherForward20
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
-
FutherForward20
- Junior Member
- Posts: 22
- Joined: 03 Sep 2016, 13:56
Re: CSF can help with rate limiting ?
I should say, the reason I ask is I had an rogue IP that DDOSed the server by hitting a site multiple times in 6 minutes and the server crashed....
I can also see that there is a "CONNLIMIT" capability. I'm assuming this be helpful in the above situation - but I've not set these parameters before, so would like a little reassurance.
At the moment I've configured CONNLIMIT "22;10,443;40,80;40"
And PORTFLOOD "22;tcp;5;200,80;tcp;30;5,443;tcp;30;5"
Does that look reasonable for a production server (4CPUs 8 GB ram, approx 10 static sites)
Is there a way to test to see if it impacts the server negatively ?
I can also see that there is a "CONNLIMIT" capability. I'm assuming this be helpful in the above situation - but I've not set these parameters before, so would like a little reassurance.
At the moment I've configured CONNLIMIT "22;10,443;40,80;40"
And PORTFLOOD "22;tcp;5;200,80;tcp;30;5,443;tcp;30;5"
Does that look reasonable for a production server (4CPUs 8 GB ram, approx 10 static sites)
Is there a way to test to see if it impacts the server negatively ?
Re: CSF can help with rate limiting ?
I too am curious as to what would be considered a safe limit, more specifically just for port 80 http requests, on a dedicated server being used for shared hosting services. I'm getting bursts of upwards of 70 connections in 60 seconds from single rogue / malicious IPs, and even with much more resources on my boxes (20 CPU, 64GB RAM) it still causes issues and high load spikes. I'm thinking maybe "80;50" would be a safe bet in my case, but still a bit unsure. I'm starting there and experimenting, but would definitely like to hear other opinions.
Re: CSF can help with rate limiting ?
I set:
CONNLIMIT = 80;50,443;50
And yet still I'm getting some occasional rogue IPs with upwards of 85 connections to port 443 , generating high load.
/etc/csf/csftest.pl passes and shows xt_connlimit is loaded:
[~]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
So I'm not why the 443;50 limit isn't being enforced
CONNLIMIT = 80;50,443;50
And yet still I'm getting some occasional rogue IPs with upwards of 85 connections to port 443 , generating high load.
/etc/csf/csftest.pl passes and shows xt_connlimit is loaded:
[~]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK
RESULT: csf should function on this server
So I'm not why the 443;50 limit isn't being enforced