ConfigServer Community Forum

hello all -

there are many times a certain page, particularly a login-page, seems to get hit hundreds (or even thousands) of times per minute. obviously this is some sort of hack attempt.

i seem to recall there was some way in CSF to space out multiple hits to the same page from the same IP number. or put another way, maybe a way to only allow one page from one particular IP every 20 seconds or something like that (sorry i am guessing here)

could somebody please refresh my memory what this setting is, and how to enable it?

thank you all very much.

Check for CONNLIMIT in CSF configuration.

thanks sergio - my CONNLIMIT value is blank, probably the initial default.

may i ask for a recommendation as to the value it might be set to?

i am thinking 80;20 as per the documentation:

http : / / configserver(dot)com/free/csf/readme.txt

If you are suffering of wordpress or joomla hack attempts to a login page, that setting will not help.

The connlimit what it does is to allow only 20 connections at a time at the same page, but that pesky attack cannot be stopped just with that. You have to rely on modsecurity and CSF with a regex rule to block any attempt to the login pages at the first try.

I have existing rules for both ModSecurity and CSF if you need.