Some useful CSF / LFD commands to do via SSH.
|csf -e||Enable CSF|
|csf -x||Disable CSF|
|csf -f||Flush/Stop firewall rules|
|csf -d IP Comment||Block the IP||csf -d 18.104.22.168 badguy|
|csf -d IP/netmask||Block the IP range||csf -d 22.214.171.124/24|
|csf -dr IP||Unblock an IP||csf -dr 126.96.36.199|
|csf -df||Remove and unblock all entries in /etc/csf/csf.deny|
|csf -g IP||Search an IPs status in csf||csf -g 188.8.131.52|
|csf -a IP||Allow an IP permanently||csf -a 184.108.40.206|
To do more with CSF / LFD.
# To limit the number of connections per IP address
$ vim /etc/csf/csf.conf Find CT_LIMIT value and update it to value which you need. For example if CT_LIMIT is set to 100, it means if the total number of connections to the server is more than 100 from an IP, that IP address will be blocked # To limit the number of connections from an IP address to a port at a particular time Note : xt_connlimit you need to have this module enabled in the server. $ vim /etc/csf/csf.conf Find and edit the value - CONNLIMIT CONNLIMIT = "80;100 25;40" The above settings shows the server only allows 100 connections from an IP address to the port 80 and 40 connections to the port 25.
# SYNflood Protection
Its recommended by CSF to have this setting only when you are under a SYN attack.
Check for SYN packets :
# netstat -nap | grep SYN -c
Only if you see a large number, it can be a possible SYNflood attack.
Normally, it would be disabled with this in the /etc/csf/csf.conf :
SYNFLOOD = "0" SYNFLOOD_RATE = "100/s" SYNFLOOD_BURST = "150" Enabled it by setting the SYNFLOOD to 1.
SYNFLOOD_RATE is the number of SYN packets to accept per IP, per second.
SYNFLOOD_BURST is the number of times the IP can hit the rate limit before being blocked in the firewall.
# Block offending countries
Look for CC_DENY option and enter the Code of the country you want to block CC_DENY = "" You can find the codes online for countries.
# Blocking particular IPs which has 'x' connections in a minute
A combination of the following values is needed for this.
- CT_LIMIT = “10” – This allows you to set maximum number of all connections ( x ) from a single IP addresses to the server. When the number of connections goes over 10 , it will be blocked.
- CT_PERMANENT = “1” – IPs with excessive connections will be blocked permanently
- CT_BLOCK_TIME = “3600” – Blocks IP for 1 hour (3600 Seconds)
- CT_INTERVAL – “60” – This value sets the interval in seconds between the Connection Tracking scans.