The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Prevent DDOS attack by CSF firewall

Discussion in 'Security' started by jasonman, Oct 6, 2014.

  1. jasonman

    jasonman Active Member

    Joined:
    Jul 2, 2014
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi all,

    Recently, there are many Error log in Cpanel for a few week as followning:
    Code:
    [Mon Oct 06 22:32:48 2014] [error] [client 66.249.69.101] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:32:48 2014] [error] [client 66.249.69.101] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:29:35 2014] [error] [client 66.249.69.101] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:29:35 2014] [error] [client 66.249.69.101] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:26:23 2014] [error] [client 66.249.69.117] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:26:23 2014] [error] [client 66.249.69.117] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:23:10 2014] [error] [client 66.249.69.117] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:23:10 2014] [error] [client 66.249.69.117] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:19:57 2014] [error] [client 66.249.69.117] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:19:57 2014] [error] [client 66.249.69.117] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:16:44 2014] [error] [client 66.249.69.85] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:16:44 2014] [error] [client 66.249.69.85] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:10:51 2014] [error] [client 66.249.69.85] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:10:51 2014] [error] [client 66.249.69.85] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:07:44 2014] [error] [client 66.249.69.85] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:07:44 2014] [error] [client 66.249.69.85] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 22:06:08 2014] [error] [client 66.249.69.101] File does not exist: /home/sze1106/public_html/404.shtml
    [Mon Oct 06 22:06:08 2014] [error] [client 66.249.69.101] File does not exist: /home/sze1106/public_html/utf/mobile
    [Mon Oct 06 21:40:08 2014] [error] [client 66.249.69.101] File does not exist: /home/sze1106/public_html/404.shtml
    Actually, I deleted the uft folder but these ip continue to connect these files in that folder. Any I can do about this?

    Because of this, I search some information from internet about how to prevent DDOS attack by CSF firewall and find out the CSF setting and Preventing DDOS aplification open resolver attack:

    First, I would like to ask how can I prevent DDOS aplification open resolver attack? Becasue I think that my sever was used by other to attack. ( The hosting company told me and stopped my sever about 2 weeks >.< )
    The information as following:
    source: /http://anandarajpandey.com/2014/02/10/preventing-ddos-aplification-open-resolver-attack/
    Can I do anything in the WHM to prevent DDOS aplification open resolver attack? or any code?
    If disable open recursive requests, any funtion cannot use or any problem? e.g. Redirects, Subdomains.

    Second, if I set the CSF as following then the sever is better or not.
    source: /http://anandarajpandey.com/2014/04/21/how-to-prevent-ddos-attack-by-csf-firewall/

    Code:
    Step 1: open and edit CSF config file. 
    vi /etc/csf/csf.conf
    
    Settings: 
    
    Enable connection tracking
    CT_LIMIT =1
    
    Set connection tracking interval.
    CT_INTERVAL =30
    
    If you want to get possible ddos attack email then enable it.
    CT_EMAIL_ALERT =1
    
    If you want to make IP blocks permanent then set this to 1, otherwise blocks
    will be temporary and will be cleared after CT_BLOCK_TIME seconds
    CT_PERMANENT = 1
    
    If you opt for temporary IP blocks for CT, then the following is the interval
    in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
    CT_BLOCK_TIME = 1800
    
    If you only want to count specific ports (e.g. 80,443) then add the ports
    to the following as a comma separated list. E.g. “80,443”
    CT_PORTS = 80,23,443
    
    These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.
    
    Step 2: Enable distributed attacks
    LF_DISTATTACK = 1  
    
    Set the following to the minimum number of unique IP addresses that trigger
    LF_DISTATTACK
    LF_DISTATTACK_UNIQ = 2
    
    Step 3: Enable distributed FTP attacks
    LF_DISTFTP = 1
    
    Set the following to the minimum number of unique IP addresses that trigger
    LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
    LF_DISTFTP_UNIQ = 3
    
    If this option is set to 1 the blocks will be permanent
    If this option is > 1, the blocks will be temporary for the specified number
    of seconds
    LF_DISTFTP_PERM =1
    
    Step 4: Enable distributed SMTP attacks.
    
    LF_DISTSMTP =1
    
    Set the following to the minimum number of unique IP addresses that trigger
    LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
    LF_DISTSMTP_UNIQ =4
    
    If this option is set to 1 the blocks will be permanent
    If this option is > 1, the blocks will be temporary for the specified number
    of seconds
    LF_DISTSMTP_PERM =1
    
     This is the interval during which a distributed FTP or SMTP attack is
    measured
    LF_DIST_INTERVAL = 300
    
    Thank all!
     
    #1 jasonman, Oct 6, 2014
    Last edited by a moderator: Oct 6, 2014
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please keep in mind that CSF is a third-party application that is not developed by cPanel. You can find their support forums at:

    CSF - Support Forums

    That being said, you may still receive some helpful user-feedback here as well.

    Thank you.
     
  3. HH-Abdullah

    HH-Abdullah Member

    Joined:
    Oct 5, 2014
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
    I am not sure if CSF can block any type of complex DDoS in today's age, except maybe some small attacks. You need to talk to your provider for some sort of protection on the network level if DDoS is becoming a problem for you.

    About the DNS recursion, the link you posted explains it perfectly. You do not really need it, so you can just disable it.
     
  4. caisc

    caisc Active Member

    Joined:
    Oct 5, 2011
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    India
    cPanel Access Level:
    Root Administrator
    1 - If attacks origin from specific country only you can block that country in CSF
    2 - Enable dshield and spamhaus in CSF, it prevent many spammers and other bad stuff from connecting to your server.

    Also after every restriction keep an eye on stats that are also collected by CSF
     
Loading...

Share This Page