PORTFLOOD not working with hitcount > 20

[jors]

Hi there,

We know that the iptables module involved with hitcount (xt_recent) by default only supports 20 number of packets per IP address to remember, but as per its documentation, this value can be set up to 255:

Code: Select all

parm:           ip_pkt_list_tot:number of packets per IP address to remember (max. 255) (uint); 20 by default

This change is done by loading the module specifying the value for each parameter (either manually with modprobe or through /etc/modprobe.d/xt_recent.conf):

Code: Select all

modprobe xt_recent ip_list_tot=3000 ip_pkt_list_tot=100

or

Code: Select all

cpaneldev:~# vi /etc/modprobe.d/xt_recent.conf
options xt_recent ip_list_tot=3000 ip_pkt_list_tot=100
# Then stopping iptables, unloading all modules and starting it again

Having done this, you can see that iptables xt_recent module values are correctly loaded:

Code: Select all

cpaneldev:~# cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
100

But even with an upper hitcount value, CSF is not calling PORTFLOOD chain from INPUT CHAIN. We found that CSF script /etc/csf/csf.pl has harcoded hitcount to a max of 20:

Code: Select all

$ vi /etc/csf/csf.pl
(...)
if (($count < 1) or ($count > 20))
(...)

If you change this hardcoded check to the value taken from /sys/module/xt_recent/parameters/ip_pkt_list_tot, then CSF is properly creating the iptables INPUT call to PORTFLOOD CHAIN.

So maybe the script should read the max hitcount value by reading /sys/module/xt_recent/parameters/ip_pkt_list_tot instead of hardcoding it? Or is there any reason to hardcode it? If so, could you please elaborate in order to understand this behaviour?

Thank you for your great software and kind regards.

[ForumAdmin]

We will look at adding a check in the future.

[ForumAdmin]

This has been added in v8.09 which we have just released:
http://blog.configserver.com

[sergeyb]

It seems the problem is still there. We set "80;tcp;30;5", but it doesn't work. We have centos 7 on our server. Please assist.

[swbrains]

I am also still having this problem in CSF v8.12. I have the PORTFLOOD set to: "22;tcp;15;120,80;tcp;30;5" and I had a DoS attack on one of my customer sites, generating a "high load" notification from the server. I checked the logs for that customer account and it showed about 60 hits in 5 seconds, all against the same page on their site. I've masked the IP address and target URL but the date/time is shown so you can see the number of hits against the same URL in a 5-second period (this is just a subset of the log over 5 seconds -- the hits from this IP continued for several minutes after this):

Code: Select all

45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:40 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:42 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:41 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:43 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:42 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:42 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:42 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:42 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:42 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:43 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:43 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:43 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:43 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:43 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:43 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:45 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:45 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"
45.20.xx.xx - - [08/Feb/2016:17:57:44 -0600] "GET /cgi-bin/xxxxxxxxxx"

[/size]

I think a previous version of CSF used to warn if you entered a number greater than 20, but now it doesn't warn so I assumed 30 was acceptable to help reduce false-positives. I'm going to set PORTFLOOD to watch port 80 for 20 hits instead of 30 and see if it helps, but I think there is still a problem with the PORTFLOOD setting as shown by the hits above which did not result in a block after reaching the specified number of hits within the specified time frame.

Thanks!