csf ct_limit and connlimit
Hi,
I have an issue with csf and too many connections from specifics IPs. I'll have a few times a week one uniques IPs that have a few hundred connections to my server.
Exemple :
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:57019 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:51959 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:56310 TIME_WAIT -
tcp 0 617 51.68.xx,xx:80 138.68.xx,xx:49729 FIN_WAIT1 1195/httpd
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:59294 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:54074 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:52335 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:50684 ESTABLISHED 1195/httpd
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:62749 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:49192 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:53449 TIME_WAIT -
tcp 0 0 51.68.xx,xx:80 138.68.xx,xx:57657 TIME_WAIT -
It seems that csf doesn't count the connections in time_wait, but i would like for it to do so.
This is not legitimate traffic and it create a server overload everytime :
/etc/apache2/logs/domlogs/domain.com:138.68.xx.xx - - [29/Apr/2020:15:22:41 +0200] "POST //xmlrpc.php HTTP/1.1" 200 408 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
/etc/apache2/logs/domlogs/domain.com:138.68..xx.xx - - [29/Apr/2020:15:22:42 +0200] "POST //xmlrpc.php HTTP/1.1" 200 408 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
/etc/apache2/logs/domlogs/domain.com:138.68..xx.xx - - [29/Apr/2020:15:22:44 +0200] "POST //xmlrpc.php HTTP/1.1" 200 408 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
As soon as I ban this IP the load decrease rapidly anad goes back to normal value. In this exemple, this IP had more than 1000 connections to the server even thought most of them were in TIME_WAIT it was still causing an issue to our server.
Currently, I use these settings for CSF :
#If the total number of connections is greater than
# this value then the offending IP address is blocked.
CT_LIMIT = "100"
CONNLIMIT = "22;5,80;50,443;50,25;10"
Anyone saw a similare issue ?
-
This is discussed in section 20 of the readme provided by CSF: [QUOTE=https://download.configserver.com/csf/readme.txt] 20. Connection Limit Protection ############################### This option configures iptables to offer protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of new concurrent connections per IP address that can be made to specific ports. This feature does not work on servers that do not have the iptables module xt_connlimit loaded. Typically, this will be with Monolithic kernels. VPS server admins should check with their VPS host provider that the iptables module is included. Also, although included in some older versions or RedHat/CentOS, it was only actually available from v5.3+ The protection can only be applied to the TCP protocol. Syntax for the CONNLIMIT setting: CONNLIMIT is a comma separated list of: port;limit So, a setting of CONNLIMIT = "22;5,80;20" means: 1. Only allow up to 5 concurrent new connections to port 22 per IP address 2. Only allow up to 20 concurrent new connections to port 80 per IP address Note: Existing connections are not included in the count, only new SYN packets, i.e. new connections Note: Run /etc/csf/csftest.pl to check whether this option will function on the server
They also have several threads on this in their forums:0 -
Hello perplex! A ConfigServer Forums Moderator may have since been removed these forum posts. Please keep in mind that the configuration and management of third-party services not provided by cPanel, such as CSF, is best handled by a qualified administrator who has the experience and expertise necessary to diagnose and troubleshoot such systems. For more information on the issue, it may be best to contact ConfigServer's support team or post a new thread in their forums regarding these concurrent connections. For your convenience, I've found a link with their support contact methods here: 0
Please sign in to leave a comment.
Comments
3 comments