Feb 202016
 

Preventing DDOS attack from csf firewall.

First make sure DDOS attack is not from open recursive DNS settings. To check and fix that issue please read this article – Preventing DDOS aplification open resolver attack

This article is to set CSF firewall so that any DDOS intentional attack to your server can be prevented.

 

Step 1: open and edit CSF config file. 

 

Settings: 

Enable connection tracking.
CT_LIMIT is max number of connection allowed from one IP, you can set this value as per your server requirement.

Set connection tracking interval.

If you want to get possible ddos attack email then enable it.

If you want to make IP blocks permanent then set this to 1, otherwise blocks
will be temporary and will be cleared after CT_BLOCK_TIME seconds

If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)

If you only want to count specific ports (e.g. 80,443) then add the ports
to the following as a comma separated list. E.g. “80,443”

 

These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.

 

Step 2: Enable distributed attacks

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK

 

Step 3: Enable distributed FTP attacks

 

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work

 

If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds

 

Step 4: Enable distributed SMTP attacks.

 

 

Set the following to the minimum number of unique IP addresses that trigger
LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work

 

If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds

 

This is the interval during which a distributed FTP or SMTP attack is
measured

Facebook Comments

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

(required)

(required)