ConnectionTracking CT improvement ?! urgent issue
Posted: 15 Dec 2010, 18:21
Hi,
so I have csf+lfd on cPanel server (CentOS)
so, when someone DoS attack server everything works fine, BUT
but attacker keeps connected for several seconds-minutes... and because I have high frequency of visits on server, always some users suffer because of DoS attack...
and sometimes because my CT_LIMIT is high (500#because of advanced clients, so they usually have too much connections to server), httpd restarts itself, or have some other issues
so my suggestion is to add "tcpkill" - from dsniff package...
so in lfd.pl section:
NOT SURE WHERE EXACTLY, BUT PRETTY SURE
eg.
to add:
http://en.wikipedia.org/wiki/Tcpkill
What you think about positioning this kind of code in this position, because I'm definitly going to add it inside, because I have load of attack frequently...
And also, with this kind of protection you could secure your Messenger port (because of recent attacks on Messenger port I started to investigate problem deeper...)
THX for your time,
Frane Marinković
Support dep. - Get-Host.net
so I have csf+lfd on cPanel server (CentOS)
so, when someone DoS attack server everything works fine, BUT
but attacker keeps connected for several seconds-minutes... and because I have high frequency of visits on server, always some users suffer because of DoS attack...
and sometimes because my CT_LIMIT is high (500#because of advanced clients, so they usually have too much connections to server), httpd restarts itself, or have some other issues
so my suggestion is to add "tcpkill" - from dsniff package...
so in lfd.pl section:
Code: Select all
###############################################################################
# start connectiontracking
NOT SURE WHERE EXACTLY, BUT PRETTY SURE
eg.
Code: Select all
#...............................
flock (IN, LOCK_SH);
my @csftmpdeny = <IN>;
close (IN);
chomp @csftmpdeny;
foreach my $ip (keys %ipcnt) {
if (($ipcnt{$ip} > $config{CT_LIMIT}) and !&ignoreip($ip)) {
##############################
# PROBABLY HERE !, so that tcpkill kills
# connection before anything else continues
##############################
if ((grep {$_ =~ /^$ip\b/} @csfdeny) or (grep {$_ =~ /\|$ip\|\|/} @csftmpdeny)) {
if ($config{DEBUG} >= 1) {&logfile("debug: (CT) IP $ip found to have $ipcnt{$ip} connections - IP already blocked")}
} else {
my $tip = &iplookup($ip);
&ipblock($config{CT_PERMANENT},"(CT) IP $tip found to have $ipcnt{$ip} connections",$ip,"","inout",$config{CT_BLOCK_TIME},0,$iptext{$ip},"CT_LIMIT");
if ($config{CT_EMAIL_ALERT}) {
#......................
Code: Select all
my $timetokill = 20; # time to run tcpkill command, and then to kill it
my $attackforce = 9; #(1-9); higher number = heavier kill type
#######################################
#DO NOT TOUCH BELLOW
my $abc='$!';
system("bash", "-c","tcpkill -$attackforce host $ip & sleep $timetokill; kill $abc");
What you think about positioning this kind of code in this position, because I'm definitly going to add it inside, because I have load of attack frequently...
And also, with this kind of protection you could secure your Messenger port (because of recent attacks on Messenger port I started to investigate problem deeper...)
THX for your time,
Frane Marinković
Support dep. - Get-Host.net