Today I will do some setup on CSF
Open the config file to modify some of the features below
1 2 | /etc/csf/csf.conf |
1. Protection from DoS attacks by limiting the number of accesses to ports
1 2 | Cấu hình tại CONNLIMIT="" với giá trị gán là "port1;limit1,port2,limit2 ..." |
For example: CONNLIMIT = “22;5,80;20” It means that port 80 (http) allows 20 connections with 1 IP => So from one machine creating a continuous query to the server creating more than 20 connections connection will be blocked, port 22 (ssh) is 5 connections 1 IP
2. Port Flood Prevention
Monitor the total number of connections from an IP to a port over a specified period of time with the PORTFLOOD setting. The input value has the form
1 2 | PORTFLOOD = "cổng;giao thức;tổng kết nối;khoảng thời gian, ..." |
For example: PORTFLOOD = “80;tcp;100;5” It means that a certain IP connects to port 80 using the tcp protocol, within 5 seconds, creating up to 100 connections will be blocked
3. Prevention of SYN FLOOD
1 2 3 4 | SYNFLOOD = "1" SYNFLOOD_RATE = "75/s" SYNFLOOD_BURST = "25" |
Where SYNFLOOD = “1” to enable SYN FLOOD SYNFLOOD_RATE = “75/s” sets the number of SYN packets sent to 1 IP/1s. SYNFLOOD_BURST Number of times an IP can reach SYNFLOOD_RATE before being blocked.
4. Open the gate, close the gate
1 2 3 4 5 6 7 8 | #Các công mở cho phép nhận gói tin từ bên ngoài (IP4) TCP_IN = "20,21,22,25,53,80" #Các công mở cho phép gửi gói tin ra ngoài (IP4) TCP_OUT = "443,20,21,22,25,80" #Tương tự nếu có dùng IP6 TCP6_IN = "20,21,22,25" TCP6_OUT = "20,21,22,25" |
5. Execute a script
The default CSF checks the CPU’s activity level to see if it’s overloaded. If that happens, the CSF will execute a script we defined. Suppose you create a script to restart Apache, save it at /restartapache.sh, remember to chmod it to run chmod +x /restartapache.sh
The content of that script is just the command to restart Apache
1 2 3 | #!/bin/sh service httpd restart >> overload.log |
Now I want to run the /restartapache.sh script every time the CPU is overloaded, then edit the config:
1 2 3 | #!/bin/sh PT_LOAD_ACTION="/restartapache.sh" |
6. Ban all IPs coming from a certain country
1 2 | CC_DENY = "RU,CN" |
7. Block if login services fail
1 2 3 4 5 6 7 8 9 10 11 | #KÍCH HOẠT GIÁM SÁT LOGIN LF_TRIGGER = "1" #Block nếu đăng nhập ssh sai 3 lần LF_SSHD = "3" LF_SSHD_PERM = "1" #Block nếu đăng nhập ftp sai 3 lần LF_FTPD = "3" LF_FTPD_PERM = "1" |
8. Block IP Spam list
The CSF provides locking of an entire IP list, by including the URL of that list in the file /etc/csf/csf.blocklists. You can open that file to add lists of IPs that services detect IP SPAM