ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

CSF can help with rate limiting ?

https://mail.forum.configserver.com/viewtopic.php?t=12797

Page 1 of 1

CSF can help with rate limiting ?

Posted: 06 Apr 2023, 00:53
by FutherForward20
Hello

If an IP starts gobbling up server resources by hitting a website multiple times, can we use CSF to rate limit them ? What I mean is, to slow the resource allocation to that IP if it is hitting the server multiple times.

I currently have an Apache box with linux CentOS7 and I also use Mod Sec.

Re: CSF can help with rate limiting ?

Posted: 06 Apr 2023, 00:54
by FutherForward20
I should say, the reason I ask is I had an rogue IP that DDOSed the server by hitting a site multiple times in 6 minutes and the server crashed....

I can also see that there is a "CONNLIMIT" capability. I'm assuming this be helpful in the above situation - but I've not set these parameters before, so would like a little reassurance.

At the moment I've configured CONNLIMIT "22;10,443;40,80;40"

And PORTFLOOD "22;tcp;5;200,80;tcp;30;5,443;tcp;30;5"

Does that look reasonable for a production server (4CPUs 8 GB ram, approx 10 static sites)

Is there a way to test to see if it impacts the server negatively ?

Re: CSF can help with rate limiting ?

Posted: 11 Sep 2023, 22:03
by Metro2
I too am curious as to what would be considered a safe limit, more specifically just for port 80 http requests, on a dedicated server being used for shared hosting services. I'm getting bursts of upwards of 70 connections in 60 seconds from single rogue / malicious IPs, and even with much more resources on my boxes (20 CPU, 64GB RAM) it still causes issues and high load spikes. I'm thinking maybe "80;50" would be a safe bet in my case, but still a bit unsure. I'm starting there and experimenting, but would definitely like to hear other opinions.

Re: CSF can help with rate limiting ?

Posted: 18 Sep 2023, 18:07
by Metro2
I set:

CONNLIMIT = 80;50,443;50

And yet still I'm getting some occasional rogue IPs with upwards of 85 connections to port 443 , generating high load.

/etc/csf/csftest.pl passes and shows xt_connlimit is loaded:

[~]# /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...OK
Testing ipt_owner/xt_owner...OK
Testing iptable_nat/ipt_REDIRECT...OK
Testing iptable_nat/ipt_DNAT...OK

RESULT: csf should function on this server

So I'm not why the 443;50 limit isn't being enforced :(
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited