The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF configuration / Flooding / Ect

Discussion in 'Security' started by GaryT, May 25, 2010.

  1. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    I do'nt quite get ths in the CSF firewall.

    CT_LIMIT = 300

    Yet I get emails saying:

    Time: Tue May 25 13:02:00 2010 -0600
    IP: **.**.**.*** (GB/United Kingdom/**-**-**-***.dynamic.dsl.******.com)
    Connections: 316
    Blocked: Temporary Block

    tcp: **.***.***.***:51010 -> **.***.***.***:80 (SYN_RECV)
    tcp: **.***.***.***:51081 -> **.***.***.***:80 (SYN_RECV)
    tcp: **.***.***.***:50788 -> **.***.***.***:80 (TIME_WAIT)
    tcp: **.***.***.***:51044 -> **.***.***.***:80 (TIME_WAIT)

    and loads more !

    One of my websites tend to be httpd flooded so I need this enabled to either 300 or less.

    What is the best way around this.

    Spiral you tend to know alot - Im awaiting your replies :p :D
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You'd do better to have a search around the ConfigServer forums for the answer to this, or, check the readme for CSF itself for details on setting connection tracking up as you'd like to have it work.

    BTW, by your email message it's a temp block. You might like to try setting that to perm block and keep an eye on your logs for normal user problems.
     

    Attached Files:

  3. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Can't answer if I don't see the post. :D

    Based on your post comments above, I smell a dDoS attack ...

    I'd have to look at what is going on to know for certain but just in the few items you posted in your post above, it does certainly hint in that direction.

    As for the CSF question, you can expand and adjust the connection tracking how you like but I would not blindly make adjustments there without knowing what it really going on in your server as at this point I suspect CSF is actually doing the job that it is supposed to be doing.
     
Loading...

Share This Page