CSF (CONNLIMIT) configuration for production server
Hello guys,
I am receiving a Slowloris attack and in an attempt to mitigate the attack I configured the CSF to:
This worked perfectly. I want to make this setting permanent, but I'm worried about legitimate bots being blocked. I have over one hundred hosted sites that get a lot of traffic. About 2 million unique accesses per day in all. What do you guys think? Is it safe to keep this setup in production server? Note: I already use mod_reqtimeout + modsec, but it did not solve the problem. Mod_qos does not work for me because I use MPM Prefork. Mod_antiloris is very old and outdated.
CONNLIMIT = 80;75,443;75,21;50
PORTFLOOD = 80;tcp;50;1,443;tcp;50;1This worked perfectly. I want to make this setting permanent, but I'm worried about legitimate bots being blocked. I have over one hundred hosted sites that get a lot of traffic. About 2 million unique accesses per day in all. What do you guys think? Is it safe to keep this setup in production server? Note: I already use mod_reqtimeout + modsec, but it did not solve the problem. Mod_qos does not work for me because I use MPM Prefork. Mod_antiloris is very old and outdated.
-
I want to make this setting permanent, but I'm worried about legitimate bots being blocked.
Hello, Whitelisting the IP addresses of known bots that you want to ensure are allowed to access the server might be a viable option. Thank you.0 -
Hello, Whitelisting the IP addresses of known bots that you want to ensure are allowed to access the server might be a viable option. Thank you.
Hello Michael This is a great idea, but in the case of googlebots, there is no list of IPs. To identify the googlebot is necessary to resolve the ip. Do you think this rule in production can cause problems? Will any google bot be able to make 75 simultaneous requests with a single IP some day?0 -
Do you think this rule in production can cause problems? Will any google bot be able to make 75 simultaneous requests with a single IP some day?
I don't believe the rule referenced in your original post should result in any issues with the Google Bot user agent based on a limit of 75, however there's a page here you may find informative: Change Googlebot crawl rate - Search Console Help Thank you.0 -
Hello @cPanelMichael, After almost two months, I decided to update this subject with my considerations: This limit works very well, I had no problems with Googlebot so far hosting more than 100 websites. Thanks to Google's good practice of hitting each site with a different IP, I believe that this limit will never generate problems with robots. And it is very rare for Google to make more than 15 simultaneous connections. 0 -
Hello, I'm happy to see it's working as intended. Thank you for updating us with the outcome. 0 -
CONNLIMIT = 80;75,443;75,21;50 PORTFLOOD = 80;tcp;50;1,443;tcp;50;1
Am I correct in seeing these `80;tcp;50;1,443;tcp;50;1` block for just 1 second? If so, why does that work?0 -
@Ben Taylor - it's usually best to create a new thread when one is 5-6 years old, as we may not see your reply. You are correct on the setting being a 1 second time, but it doesn't only block for one second. That line would be interpreted as this: if port 80 or port 443 receives more than 50 connections in one second, new connections will be blocked. 0
Please sign in to leave a comment.
Comments
7 comments