CSF can help with rate limiting ?

Post Reply
FutherForward20
Junior Member
Posts: 22
Joined: 03 Sep 2016, 13:56

CSF can help with rate limiting ?

Post by FutherForward20 »

Hello

If an IP starts gobbling up server resources by hitting a website multiple times, can we use CSF to rate limit them ? What I mean is, to slow the resource allocation to that IP if it is hitting the server multiple times.

I currently have an Apache box with linux CentOS7 and I also use Mod Sec.
FutherForward20
Junior Member
Posts: 22
Joined: 03 Sep 2016, 13:56

Re: CSF can help with rate limiting ?

Post by FutherForward20 »

I should say, the reason I ask is I had an rogue IP that DDOSed the server by hitting a site multiple times in 6 minutes and the server crashed....

I can also see that there is a "CONNLIMIT" capability. I'm assuming this be helpful in the above situation - but I've not set these parameters before, so would like a little reassurance.

At the moment I've configured CONNLIMIT "22;10,443;40,80;40"

And PORTFLOOD "22;tcp;5;200,80;tcp;30;5,443;tcp;30;5"

Does that look reasonable for a production server (4CPUs 8 GB ram, approx 10 static sites)

Is there a way to test to see if it impacts the server negatively ?
Metro2
Junior Member
Posts: 78
Joined: 10 Dec 2006, 10:10

Re: CSF can help with rate limiting ?

Post by Metro2 »

I too am curious as to what would be considered a safe limit, more specifically just for port 80 http requests, on a dedicated server being used for shared hosting services. I'm getting bursts of upwards of 70 connections in 60 seconds from single rogue / malicious IPs, and even with much more resources on my boxes (20 CPU, 64GB RAM) it still causes issues and high load spikes. I'm thinking maybe "80;50" would be a safe bet in my case, but still a bit unsure. I'm starting there and experimenting, but would definitely like to hear other opinions.
Metro2
Junior Member
Posts: 78
Joined: 10 Dec 2006, 10:10

Re: CSF can help with rate limiting ?

Post by Metro2 »

I set:

CONNLIMIT = 80;50,443;50

And yet still I'm getting some occasional rogue IPs with upwards of 85 connections to port 443 , generating high load.

/etc/csf/csftest.pl passes and shows xt_connlimit is loaded:

[~]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

So I'm not why the 443;50 limit isn't being enforced :(
Post Reply