Results 1 to 19 of 19
  1. #1
    Join Date
    Dec 2007
    Posts
    57

    Poor performance after install CSF Firewall

    Hello guys,

    I have read on this forums and google CSF seem to be the best firewall out there, so i installed it configure and run it. After the installation i found that i received a lot time out error on web service. Page take a lot longer to load. I think it's my configuration.

    Can someone take a look at my configuration if possible please share your configuration. I really like to have CSF run without poor performance on web service.

    Code:
    TESTING = "0"
    
    TESTING_INTERVAL = "5"
    
    AUTO_UPDATES = "1"
    
    ETH_DEVICE = "eth1"
    
    ETH_DEVICE_SKIP = ""
    
    TCP_IN = "20,21,22,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,8184"
    
    TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"
    
    UDP_IN = "20,21,53,953"
    
    UDP_OUT = "20,21,53,113,123,873,953,6277"
    
    ICMP_IN = "1"
    
    ICMP_OUT = "0"
    
    SMTP_BLOCK = "1"
    
    SMTP_ALLOWLOCAL = "0"
    
    MONOLITHIC_KERNEL = "0"
    
    DROP = "DROP"
    
    DROP_LOGGING = "1"
    
    DROP_IP_LOGGING = "1"
    
    DROP_ONLYRES = "0"
    
    DROP_NOLOG = "67,68,111,113,135:139,445,513,520"
    
    PACKET_FILTER = "1"
    
    DROP_PF_LOGGING = "0"
    
    VERBOSE = "1"
    
    SYSLOG = "0"
    
    DYNDNS = "0"
    
    RELAYHOSTS = "1"
    
    DENY_IP_LIMIT = "100"
    
    GLOBAL_ALLOW = ""
    GLOBAL_DENY = ""
    GLOBAL_IGNORE = ""
    LF_GLOBAL = ""
    
    LF_DAEMON = "1"
    
    LF_TRIGGER = "0"
    
    LF_TRIGGER_PERM = "1"
    
    LF_SELECT = "1"
    
    LF_SSHD = "3"
    LF_SSHD_PERM = "1"
    
    LF_FTPD = "3"
    LF_FTPD_PERM = "1"
    
    LF_SMTPAUTH = "3"
    LF_SMTPAUTH_PERM = "1"
    
    LF_POP3D = "5"
    LF_POP3D_PERM = "1"
    
    LF_IMAPD = "5"
    LF_IMAPD_PERM = "1"
    
    LF_HTACCESS = "5"
    LF_HTACCESS_PERM = "300"
    
    LF_MODSEC = "0"
    LF_MODSEC_PERM = "1"
    
    LF_CPANEL = "3"
    LF_CPANEL_PERM = "3600"
    
    LF_CSF = "1"
    
    LF_SSH_EMAIL_ALERT = "1"
    
    LF_SU_EMAIL_ALERT = "1"
    
    LF_SCRIPT_ALERT = "1"
    
    LF_SCRIPT_LIMIT = "100"
    
    LF_SCRIPT_PERM = "0"
    
    LF_DIRWATCH = "60"
    
    LF_DIRWATCH_DISABLE = "1"
    
    LF_DIRWATCH_FILE = "1"
    
    LF_INTEGRITY = "3600"
    
    LF_INTERVAL = "300"
    
    LF_PARSE = "5"
    
    LF_EMAIL_ALERT = "1"
    
    LT_EMAIL_ALERT = "1"
    
    LT_POP3D = "60"
    
    LT_IMAPD = "0"
    
    RT_RELAY_ALERT = "1"
    RT_RELAY_LIMIT = "100"
    RT_RELAY_BLOCK = "0"
    
    RT_AUTHRELAY_ALERT = "1"
    RT_AUTHRELAY_LIMIT = "100"
    RT_AUTHRELAY_BLOCK = "0"
    
    RT_POPRELAY_ALERT = "1"
    RT_POPRELAY_LIMIT = "100"
    RT_POPRELAY_BLOCK = "0"
    
    RT_LOCALRELAY_ALERT = "1"
    RT_LOCALRELAY_LIMIT = "100"
    RT_LOCALRELAY_BLOCK = "0"
    
    LF_DSHIELD = "86400"
    
    LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"
    
    LF_SPAMHAUS = "86400"
    
    LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"
    
    LF_BOGON = "86400"
    
    LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt"
    
    CT_LIMIT = "300"
    
    CT_INTERVAL = "60"
    
    CT_EMAIL_ALERT = "1"
    
    CT_PERMANENT = "1"
    
    CT_BLOCK_TIME = "1800"
    
    CT_SKIP_TIME_WAIT = "0"
    
    CT_STATES = ""
    
    PT_LIMIT = "30"
    
    PT_INTERVAL = "60"
    
    PT_SKIP_HTTP = "0"
    
    PT_USERPROC = "8"
    
    PT_USERMEM = "100"
    
    PT_USERTIME = "1800"
    
    PT_USERKILL = "0"
    
    PT_LOAD = "30"
    PT_LOAD_AVG = "5"
    PT_LOAD_LEVEL = "6"
    PT_LOAD_SKIP = "3600"
    
    PT_SMTP = "0"
    
    IPTABLES = "/sbin/iptables"
    MODPROBE = "/sbin/modprobe"
    IFCONFIG = "/sbin/ifconfig"
    SENDMAIL = "/usr/sbin/sendmail"
    NETSTAT = "/bin/netstat"
    PS = "/bin/ps"
    FUSER = "/sbin/fuser"
    VMSTAT = "/usr/bin/vmstat"
    LS = "/bin/ls"
    MD5SUM = "/usr/bin/md5sum"
    TAR = "/bin/tar"
    CHATTR = "/usr/bin/chattr"
    
    HTACCESS_LOG = "/usr/local/apache/logs/error_log"
    MODSEC_LOG = "/usr/local/apache/logs/error_log"
    SSHD_LOG = "/var/log/secure"
    SU_LOG = "/var/log/secure"
    FTPD_LOG = "/var/log/messages"
    SMTPAUTH_LOG = "/var/log/exim_mainlog"
    SMTPRELAY_LOG = "/var/log/exim_mainlog"
    POP3D_LOG = "/var/log/maillog"
    IMAPD_LOG = "/var/log/maillog"
    CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
    SCRIPT_LOG = "/var/log/exim_mainlog"
    Thanks

  2. #2
    Join Date
    Jan 2008
    Location
    Jax, FL
    Posts
    2,707
    I really don't see anything wrong with your CSF config file... Here is a copy of mine:

    TESTING = "0"

    TESTING_INTERVAL = "5"

    AUTO_UPDATES = "1"

    ETH_DEVICE = ""

    ETH_DEVICE_SKIP = ""

    TCP_IN = "20,21,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096"

    TCP_OUT = "20,21,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703"

    UDP_IN = "20,21,53,953"

    UDP_OUT = "20,21,53,113,123,873,953,6277"

    ICMP_IN = "1"

    ICMP_OUT = "1"

    SMTP_BLOCK = "1"

    SMTP_ALLOWLOCAL = "0"

    MONOLITHIC_KERNEL = "1"

    DROP = "DROP"

    DROP_LOGGING = "1"

    DROP_IP_LOGGING = "0"

    DROP_ONLYRES = "0"

    DROP_NOLOG = "67,68,111,113,135:139,445,513,520"

    PACKET_FILTER = "1"

    DROP_PF_LOGGING = "0"

    VERBOSE = "1"

    SYSLOG = "0"

    DYNDNS = "0"

    RELAYHOSTS = "1"

    DENY_IP_LIMIT = "100"

    GLOBAL_ALLOW = ""
    GLOBAL_DENY = ""
    GLOBAL_IGNORE = ""
    LF_GLOBAL = ""

    LF_DAEMON = "1"

    LF_TRIGGER = "0"

    LF_TRIGGER_PERM = "1"

    LF_SELECT = "0"

    LF_SSHD = "5"
    LF_SSHD_PERM = "1"

    LF_FTPD = "10"
    LF_FTPD_PERM = "1"

    LF_SMTPAUTH = "5"
    LF_SMTPAUTH_PERM = "1"

    LF_POP3D = "10"
    LF_POP3D_PERM = "1"

    LF_IMAPD = "10"
    LF_IMAPD_PERM = "1"

    LF_HTACCESS = "1"
    LF_HTACCESS_PERM = "1"

    LF_MODSEC = "1"
    LF_MODSEC_PERM = "1"

    LF_CPANEL = "5"
    LF_CPANEL_PERM = "1"

    LF_CSF = "1"

    LF_SSH_EMAIL_ALERT = "1"

    LF_SU_EMAIL_ALERT = "1"

    LF_SCRIPT_ALERT = "1"

    LF_SCRIPT_LIMIT = "100"

    LF_SCRIPT_PERM = "0"

    LF_DIRWATCH = "60"

    LF_DIRWATCH_DISABLE = "1"

    LF_DIRWATCH_FILE = "0"

    LF_INTEGRITY = "3600"
    LF_INTERVAL = "300"

    LF_PARSE = "5"

    LF_EMAIL_ALERT = "1"

    LT_EMAIL_ALERT = "1"

    LT_POP3D = "60"

    LT_IMAPD = "0"
    RT_RELAY_ALERT = "1"
    RT_RELAY_LIMIT = "100"
    RT_RELAY_BLOCK = "0"

    RT_AUTHRELAY_ALERT = "1"
    RT_AUTHRELAY_LIMIT = "100"
    RT_AUTHRELAY_BLOCK = "0"

    RT_POPRELAY_ALERT = "1"
    RT_POPRELAY_LIMIT = "100"
    RT_POPRELAY_BLOCK = "0"

    RT_LOCALRELAY_ALERT = "1"
    RT_LOCALRELAY_LIMIT = "100"
    RT_LOCALRELAY_BLOCK = "0"

    LF_DSHIELD = "86400"

    LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt"

    LF_SPAMHAUS = "86400"

    LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso"

    LF_BOGON = "0"

    LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt"

    CT_LIMIT = "300"

    CT_INTERVAL = "60"

    CT_EMAIL_ALERT = "1"

    CT_PERMANENT = "1"

    CT_BLOCK_TIME = "1800"

    CT_SKIP_TIME_WAIT = "0"

    CT_STATES = ""

    PT_LIMIT = "30"

    PT_INTERVAL = "60"

    PT_SKIP_HTTP = "0"

    PT_USERPROC = "8"
    PT_USERMEM = "100"

    PT_USERTIME = "1800"

    PT_USERKILL = "0"

    PT_LOAD = "30"
    PT_LOAD_AVG = "5"
    PT_LOAD_LEVEL = "6"
    PT_LOAD_SKIP = "3600"

    PT_SMTP = "0"

    # OS settings
    IPTABLES = "/sbin/iptables"
    MODPROBE = "/sbin/modprobe"
    IFCONFIG = "/sbin/ifconfig"
    SENDMAIL = "/usr/sbin/sendmail"
    NETSTAT = "/bin/netstat"
    PS = "/bin/ps"
    FUSER = "/sbin/fuser"
    VMSTAT = "/usr/bin/vmstat"
    LS = "/bin/ls"
    MD5SUM = "/usr/bin/md5sum"
    TAR = "/bin/tar"
    CHATTR = "/usr/bin/chattr"

    # Log files
    HTACCESS_LOG = "/usr/local/apache/logs/error_log"
    MODSEC_LOG = "/usr/local/apache/logs/error_log"
    SSHD_LOG = "/var/log/secure"
    SU_LOG = "/var/log/secure"
    FTPD_LOG = "/var/log/messages"
    SMTPAUTH_LOG = "/var/log/exim_mainlog"
    SMTPRELAY_LOG = "/var/log/exim_mainlog"
    POP3D_LOG = "/var/log/maillog"
    IMAPD_LOG = "/var/log/maillog"
    CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
    SCRIPT_LOG = "/var/log/exim_mainlog"
    Hope that helps!
    Daniel | Server Complete, LLC
    Windows VPS // Dedicated Servers // Backup Services
    Wholly owned hardware and self operated network (AS19531) in Jacksonville, FL

  3. #3
    Join Date
    Dec 2007
    Posts
    57
    don't you have to assign ETHENET_DEVICE ???

  4. #4
    Join Date
    Jul 2007
    Posts
    55
    By default, it is eth0 unless you are using others..
    L
    I work with a cup of tea, prefer green tea.

  5. #5
    Join Date
    Dec 2007
    Posts
    57
    did you notice any slow connection or timeout connection when running CSF ?

  6. #6
    Join Date
    Jul 2007
    Posts
    55
    Sorry no. Working fine for me perfectly..
    L
    I work with a cup of tea, prefer green tea.

  7. #7
    Join Date
    Mar 2007
    Location
    Phoenix, AZ
    Posts
    132
    are you sure this is because of CSF?
    When you disable CSF did things back to normal?
    Cheers,
    Sivanandhan, P. (a.k.a. apsivam)
    My Blog Site

  8. #8
    Join Date
    Jul 2007
    Posts
    55
    IPtables could have mess up.
    Stop your CSF.
    and restart again.
    L
    I work with a cup of tea, prefer green tea.

  9. #9
    Join Date
    Dec 2007
    Posts
    57
    yes, right after disabling CSF page start to load really fast instantly while it take up to 45+ just to load an 10kb html and a lot of time get connection timeout when CSF is on. I also did a test with my user. when i turn csf on for couple hours get report back from users that page load really slow and timeout alot. then I turn it off users report back everything is fast and no more connection timeout.

    I looked at the log and saw that there is a lot of TCP_IN and TCP_OUT got blocked like every second. I think that must be the problem that it's so slow

    Code:
    1	Jan 04 22:49:28	-	-	Firewall: *TCP_IN Blocked* 	eth1	tcp	SOURCE IP	4293	SEVER IP	80	SYN
    a lot of those every 3 second

  10. #10
    Join Date
    Dec 2007
    Posts
    57
    Quote Originally Posted by Tealeaf View Post
    IPtables could have mess up.
    Stop your CSF.
    and restart again.
    Tried that doesn't really help much

  11. #11
    Join Date
    Apr 2005
    Posts
    1,711
    Sounds like a kernel recompile is in order..
    Zach E. - Kualowww.kualo.com
    Shared Web Hosting, Reseller Hosting, Cloud VPS & Dedicated Servers
    UK: 0800 138 3235 ❘ USA: 1-800-995-8256

  12. #12
    Join Date
    Jan 2008
    Location
    Jax, FL
    Posts
    2,707
    I agree that this issue is not from CSF... There should be no noticeable change in page loading speeds when CSF is enabled and when its not. I have been running CSF for several months and I have never had a problem nor have I ever received any complaints from my customers.

    There is something else on your server that requires attention.
    Daniel | Server Complete, LLC
    Windows VPS // Dedicated Servers // Backup Services
    Wholly owned hardware and self operated network (AS19531) in Jacksonville, FL

  13. #13
    Join Date
    Apr 2007
    Location
    Melbourne, Australia
    Posts
    410
    I have not used CSF before -- but does it report any errors when it starts up or show any errors in it's log file?

  14. #14
    Join Date
    Dec 2007
    Posts
    57
    ok i play with it a little and here what i found out.

    If i set CSF to "high" or "medium" the pre-configuration the performance is really poor, but if i set it to low than everything run really great.

    Have any of you guys run it with "high" pre-configuration ?

    Could it be hardware problem, I have Quad Core @ 2.4Ghz, 4 Gigs of RAM and only hosting 1 site

  15. #15
    Join Date
    Dec 2007
    Posts
    57
    Quote Originally Posted by RapidFire View Post
    I agree that this issue is not from CSF... There should be no noticeable change in page loading speeds when CSF is enabled and when its not. I have been running CSF for several months and I have never had a problem nor have I ever received any complaints from my customers.

    There is something else on your server that requires attention.
    What should I look for, Sorry i'm really new to linux

  16. #16
    Join Date
    Jan 2008
    Location
    Jax, FL
    Posts
    2,707
    Quote Originally Posted by taydu3000 View Post
    What should I look for, Sorry i'm really new to linux
    cPanel is a great product, however, some aspects of it are badly optimized... Have you ever gone through and optimized your server in anyway?

    I highly doubt it is a hardware problem. I host my personal sites on a VPS with 512MB guaranteed RAM with cPanel and I have never had a problem with CSF...

    What distro of Linux are you using? What version and stage (stable, release, edge) of cPanel?

    Have you watched Top while experiencing this problem?

    It could just be a coincidence and may not actually be CSF causing poor performance.
    Daniel | Server Complete, LLC
    Windows VPS // Dedicated Servers // Backup Services
    Wholly owned hardware and self operated network (AS19531) in Jacksonville, FL

  17. #17
    Join Date
    Dec 2007
    Posts
    57
    Mysql and Apache has been optimized to run Vbulletin, using centos 4.5 and just update to latest stable of Cpanel couple days ago.

  18. #18
    Join Date
    Jan 2007
    Posts
    584

  19. #19
    Join Date
    Jun 2002
    Location
    Long Beach, NY
    Posts
    199
    Although this is an old thread, I thought I'd add in that I had a similar experience with server timeouts and slow page-loads, and resolved by turning off the syn flood blocking and connection tracking blocking, and turning off PT_Deleted.

    There are too many false positives, and legitimate users end up getting blocked.

    By viewing the logs, we were able to identify that the synflood was triggering falsely on my own IP during very basic operations.

    Turning off synflood seems to be key.

    I hope somebody will find this helpful - it took a long time to get to the bottom of what was causing issues on my server.

    mrk

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •