Linux csf firewall effectively prevents a small amount of ddos cc attacks

The csf firewall is installed to deal with a small number of ddos and cc attacks, which is quite useful. We have also used the TDS before. The following is a record of how I discovered the attack, and how to solve it.

1. Adjusting apache connections will always be full and system resources will be greatly consumed. Test servers are not installed with monitoring, nagios, cacti, and munin. You can search by yourself. 2. I checked apache logs and found a certain IP address requesting a certain PHP, which reached more than 90 thousand in two days. apache logs are rolled, so normally, there cannot be so many, and this is a test server. See. The following describes the installation configuration process 1, download and install wget http://www.configserver.com/free/csf.tgz tar-zxvf csf. tgz cd csf sh install. sh if a perl module error is reported, run the yum install perl-libwww-perl Command to test the csf [root @ rudder csf] # perl/etc/csf/csftest. pl Testing ip_tables/iptable_filter... OK Testing ipt_LOG... OK Testing ipt_multiport/xt_multiport... OK Testing ipt_REJECT... OK Testing ipt_state/xt_state... OK Testing ipt_limit/xt_limit... OK Testing ipt_recent... OK Testing xt_connlimit... OK Testing ipt_owner/xt_owner... OK Testing iptable_nat/ipt_REDIRECT... OK Testing iptable_nat/ipt_DNAT... OK RESULT: csf shocould function on this server

2. There are a lot of configuration items in the configuration file. The basic configuration will not be mentioned, and there will be online configuration. Here we will talk about how to configure to prevent a small number of ddos, cc attack 1, port flood attacks to protect vim/etc/csf. conf // I made two changes. The first one is PORTFLOOD = "22; tcp; 5; 80; tcp; 20; 5" explanation: 1 ), if there are more than five connections to tcp port 22 within 300 seconds, at least 300 seconds after the last packet is found, the IP address will be blocked from accessing port 22, that is, there are 300 seconds of "quiet" before the blocking is canceled. 2) if there are more than 20 connections connected to tcp port 80 within five seconds, at least 5 seconds after the last packet is found, the IP address will be blocked from accessing port 80, that is, five seconds before the blocking was canceled, the "quiet" period gave me the feeling that the csf not only has a wall, but also a network behind it to provide dynamic defense. I feel that this is better. 2. Start csf [root @ rudder ~] # Print a lot of information when/etc/init. d/csf start is started. check whether there is fatal and warning, if not. Vim/etc/csf. conf // TESTING = "0" // change the value of TESTING from 1 to 0 and restart the csf. [root @ rudder ~] # The restart command of the csf-r is the same as that of the Active Directory filter. There are many similarities between the two iptables-based firewalls. 3. Start lfd [root @ rudder ~] # The/etc/init. d/lfd start module has an important function, which is to record the defense process. Let's take a look at the effect. After the lfd log 194.28.70.132 is blocked for four times, the access is permanently disabled. Then I checked it and the IP address was automatically placed under csf. deny. [Root @ rudder ~] # Cat/etc/csf. deny ####################################### ######################################## # Copyright 2006-2013, way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ####################################### ######################################## # The following IP addresses will be blocked in iptables # One IP address per line # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24) # Only list IP addresses, not domain names (they will be ignored) # Note: If you add the text "do not delete" to the comments of an entry Then # DENY_IP_LIMIT will ignore those entries and not remove them # Advanced port + ip filtering allowed with the following format # tcp/udp | in/out | s/d = port | s/ d = ip # See readme.txt for more information regarding advanced port filtering #194.28.70.132 # lfd: (PERMBLOCK) 194.28.70.132 has had more than 4 temp blocks in the last 86400 secs-Mon Mar 11 04:19:14 2013 64.34.253.35 # lfd: (PERMBLOCK) 64.34.253.35 has had more than 4 temp blocks in the last 86400 secs-Mon Mar 11 21:30:09 2013 found some parameter descriptions on the official website:-h, -- help Show this message // display this message-l, -- status List/Show iptables configuration // List/display iptables configuration-l6, -- status6 List/Show ip6tables configuration // List/display ip6ables configuration-s, -- start Start firewall rules // Enable firewall rules-f, -- stop Flush/Stop firewall rules (Note: lfd may restart csf) // clear/Stop firewall rules (Note: l Fd may restart csf)-r, -- Restart restart firewall rules // re-Enable firewall rules-q, -- startq Quick restart (csf restarted by lfd) // fast restart (lfd restart csf)-sf, -- startf Force CLI restart regardless of LF_QUICKSTART setting // Force CLI restart-a regardless of the LF_QUICKSTART settings, -- add ip Allow an IP and add to/etc/csf. allow // allow an IP address and add it to/etc/csf. allow-ar, -- addrm ip Remove an IP from/etc/csf. allow and delete rule // from/etc/csf. allow Delete an IP address, delete rule-d, -- deny ip Deny an IP address and add to/etc/csf. deny // reject an IP address and add it to/etc/csf. deny-dr, -- denyrm ip Unblock an IP and remove from/etc/csf. deny // unblocks an IP address and removes it from/etc/csf. delete-df, -- denyf Remove and unblock all entries in/etc/csf in deny. deny // Delete and remove/etc/csf. -g, -- grep ip Search the iptables rules for an IP match (incl. CIDR) // query iptables rules (including CIDR) that match an IP address-t, -- temp Displays the current list of temp IP entries and their // TTL Displays the current temporary IP address and Its TTL list-tr, -- temprm ip Remove an IPs from the temp IP ban and allow list // Remove IPs-td from the temporary prohibition and allow IP address list, -- tempdeny ip ttl [-p port] [-d direction] Add an IP to the temp IP ban list. ttl is how long to // Add an IP address to the list of temporary prohibited IP addresses, blocks for (default: seconds, can use one suffix of h/m/d) // ttl indicates the port blocking time (default: Second, you can use an h/m/d suffix) Optional port. optional di Rection of block can be one of: // optional port. The blocking direction can be either of the following: inbound, outbound, or inbound (default: Inbound) in, out or inout (default: in)-ta, -- tempallow ip ttl [-p port] [-d direction] Add an IP to the temp IP allow list (default: inout) // Add an IP address to the list of temporary allowed IP addresses (default: Inbound and Outbound)-tf, -- tempf Flush all IPs from the temp IP entries // clear all temporary IP records-cp, -- cping PING all members in an lfd Cluster PINGlfd group members-cd, -- cdeny ip Deny an IP in a Cluster and add to/etc/csf. deny // reject an IP address in the group and add it to/etc/csf/ Csf. deny-ca, -- callow ip Allow an IP in a Cluster and add to/etc/csf. allow // allow an IP address in the group and add it to/etc/csf. allow-cr, -- crm ip Unblock an IP in a Cluster and remove from/etc/csf. deny // unblocks an IP address in the group and removes the IP address from/etc/csf. deny Delete-cc, -- cconfig [name] [value] Change configuration option [name] to [value] in a Cluster // Change the configuration option [name] in the group to [value]-cf, -- cfile [file] Send [file] in a Cluster to/etc/csf // Send [file] to/etc/csf/-crs in the group, -- crestart Cluster restart csf and lfd // restart the group csf and lfd-m, -- mail [addr] Display Server Check in HTML or email to [addr] if present // Check the Server in HTML or send an email to the [addr] address. if yes,-c, -- check Check for updates to csf but do not upgrade // check for csf updates but not updates-u, -- update Check for updates to csf and upgrade if available // Check for csf updates and updates. if possible,-uf Force an update of csf // Force update of csf-x, -- disable Disable Csf and lfd // disable csf and lfd-e, -- enable Enable csf and lfd if previusly disabled // enable previously disabled csf and lfd-v, -- version Show csf version // you can use these options to conveniently control and view the csf version. All the csf configuration files are in/etc/csf/, including: csf. conf-main configuration file, which has the annotation csf that describes the purpose of each option. allow-the list of IP addresses and CIDR addresses allowed by the firewall. deny-the list of IP addresses and CIDR addresses that are not allowed by the firewall. ignore-lfd should be ignored, and the list of IP addresses and CIDR addresses that are not blocked after the detection is csf. * ignore-lists various files that lfd should ignore, users, and IP addresses. For details, see each file. If you modify any of the above files, you need to restart the csf to take effect. If you use the command line option to add or reject IP addresses, the csf automatically takes effect. Both csf. allow and csf. deny can comment on the listed IP addresses. The comment must be in the same line as the IP address; otherwise, the IP rotation of csf. deny will delete the comment. If you directly edit the csf. allow or csf. deny file, whether from shell or whm ui, you must insert # Between the IP address and comment, as follows: add 11.22.33.44 # Because I don't like them, you can also add comments when using the csf-a or csf-d command, but not insert #,: add csf-d 11.22.33.44 because I don't like them