ConfigServer Community Forum

Hi
Trying to use the CT_LIMIT to block 2 different type of floods:

1) a simple DOS attack towards a client where someone keeps flooding them with calls to different images and pages in order to consume their bandwidth
This block has worked fine for quite some time and it blocks the way it should.

2) simple brutes on wp-login.php from one IP each time (they change IP, but do loads of attempts on each IP)
This is the most important part and it do not work at all.
We have typically 1.000 -5.000 attempts on wp-login.php from one IP on one accounts wp-login.php before we stop it manually.

The CT_LIMIT do not stop those connections at all.

Settings:
We have tried lots of different settings, and at moment we have:

CT_LIMIT = 490
CT_INTERVAL = 1800
CT_EMAIL_ALERT = 1
CT_PERMANENT = 0
CT_BLOCK_TIME = 14400
CT_SKIP_TIME_WAIT = 0
CT_STATES =
CT_PORTS = 80

Maybe I am misunderstanding what the CT_LIMIT can do, and it will not be able to stop the attempts to brute wp-login.php for some reason, but since it works fine on the other connections (including a number of false positives) I do not understand why.

Would really appreciate some suggestions how to solve this

// kjg

CT_LIMIT is only going to help with concurrent connections, not usually consecutive ones. To tackle this type of attack you should look at using the CONNLIMIT option on port 80/443.

Thank you for you quick reply
English is not my native language so I'll have to look up the difference between concurrent connections and consecutive ones in order to understand why it acts as it does (blocking one type of connections but not the other).

Will try using CONNLIMIT instead. WOuld something like 80;50,443;50 be reasonable?

Concurrent means the connections are happening all at the same time. Consecutive means the connections are happening one after the other (often quickly).

The configuration you mention would be a good start to see if it helps. Make sure to restart csf and then lfd after making any changes.