var sidebar_align = 'right';
var content_container_margin = parseInt('350px');
var sidebar_width = parseInt('330px');
CSF - PS config advise
I am wanting to make sure this config makes sense.
it is a cpanel server.
PS_INTERVAL = 300
PS_LIMIT = 20
PS_PORTS = 0:15,22:24,27:52,54:79,81:109,111:142,144:442,444:464,467:950,996:2081,3000:65535
My TCP_IN is : 20,21,22,25,53,80,110,143,443,465,587,993,995,1167,2077,2078,2082,2083,2086,2087,2095,2096,8668,7080,5666
I have noticed a huge amount of genuine traffic being blocked, so will the above config make much of a difference? So it skips port 80, etc.
Under PS_PORTS I would use the default CSF config:
This should not block any genuine traffic.
TCP_IN looks fine. You may want to add this to the TCP_IN pots, to make sure FTP Passive connections work:
If you want to block connection based attacks, I recommend using the "Connection Limit Protection" Works phenomenal!
Thanks for the reply! The reason why I am asking, there is heaps of real traffic which is being blocked. The really weird thing is, all of them have port 80.. which who cares if they scan port 80?
Sample of block hits:
Jan 18 13:07:44 server kernel: [214708.252895] Firewall: *Port Flood* IN=eth0 OUT= MAC=00:16:XX SRC=XX.XX.XX DST=XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=30301 DF PROTO=TCP SPT=55234 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 18 13:07:45 server kernel: [214708.583474] Firewall: *Port Flood* IN=eth0 OUT= MAC=00:16:XX SRC=XX.XX.XX DST=XX.XX.XX LEN=52 TOS=0x00 PREC=0x00 TTL=111 ID=30306 DF PROTO=TCP SPT=55249 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
The values depends on how connections are made to your website. If multiple connections are opened by a single user, you should adjust the values accordingly. I think 20 connections in 300 seconds will definitely block legit traffic. You should decrease the PS_INTERVAL value a bit to see if it decreases the false positives.
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
: madaboutlinux[at]hotmail.com |
You have SYNFLOOD to PORTFLOOD enabled? The provided log shows its flooding connection rather than port scanning. If so, make sure you give enough room for IPs, based on the traffic.
By chasebug in forum Hosting Security and Technology
Last Post: 08-05-2010, 01:40 PM
By sharmaine1111 in forum Hosting Security and Technology
Last Post: 05-30-2010, 08:58 AM
By conlele in forum Hosting Security and Technology
Last Post: 12-11-2009, 11:05 PM
By anastasia0181 in forum Hosting Security and Technology
Last Post: 11-14-2009, 08:30 AM
By onasre in forum VPS Hosting
Last Post: 10-07-2009, 04:13 PM