Ldbeaudoin

Registered
Apr 13, 2017
4
0
1
Quebec
cPanel Access Level
Root Administrator
Hi,

I have an issue with csf and too many connections from specifics IPs. I'll have a few times a week one uniques IPs that have a few hundred connections to my server.

Exemple :

tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:57019 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:51959 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:56310 TIME_WAIT -
tcp 0 617 51.68.xx,xx:80 138.68.xx,xx:49729 FIN_WAIT1 1195/httpd
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:59294 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:54074 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:52335 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:50684 ESTABLISHED 1195/httpd
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:62749 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:49192 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:53449 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:57657 TIME_WAIT -

It seems that csf doesn't count the connections in time_wait, but i would like for it to do so.

This is not legitimate traffic and it create a server overload everytime :

/etc/apache2/logs/domlogs/domain.com:138.68.xx.xx - - [29/Apr/2020:15:22:41 +0200] "POST //xmlrpc.php HTTP/1.1" 200 408 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
/etc/apache2/logs/domlogs/domain.com:138.68..xx.xx - - [29/Apr/2020:15:22:42 +0200] "POST //xmlrpc.php HTTP/1.1" 200 408 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
/etc/apache2/logs/domlogs/domain.com:138.68..xx.xx - - [29/Apr/2020:15:22:44 +0200] "POST //xmlrpc.php HTTP/1.1" 200 408 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"

As soon as I ban this IP the load decrease rapidly anad goes back to normal value. In this exemple, this IP had more than 1000 connections to the server even thought most of them were in TIME_WAIT it was still causing an issue to our server.

Currently, I use these settings for CSF :

#If the total number of connections is greater than
# this value then the offending IP address is blocked.
CT_LIMIT = "100"

CONNLIMIT = "22;5,80;50,443;50,25;10"

Anyone saw a similare issue ?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,252
313
Houston
This is discussed in section 20 of the readme provided by CSF:

https://download.configserver.com/csf/readme.txt said:
20. Connection Limit Protection
###############################

This option configures iptables to offer protection from DOS attacks against
specific ports. It can also be used as a way to simply limit resource usage by
IP address to specific server services. This option limits the number of new
concurrent connections per IP address that can be made to specific ports.

This feature does not work on servers that do not have the iptables module
xt_connlimit loaded. Typically, this will be with Monolithic kernels. VPS
server admins should check with their VPS host provider that the iptables
module is included.

Also, although included in some older versions or RedHat/CentOS, it was only
actually available from v5.3+

The protection can only be applied to the TCP protocol.

Syntax for the CONNLIMIT setting:

CONNLIMIT is a comma separated list of:
port;limit

So, a setting of CONNLIMIT = "22;5,80;20" means:

1. Only allow up to 5 concurrent new connections to port 22 per IP address

2. Only allow up to 20 concurrent new connections to port 80 per IP address

Note: Existing connections are not included in the count, only new SYN packets,
i.e. new connections

Note: Run /etc/csf/csftest.pl to check whether this option will function on the
server
They also have several threads on this in their forums: