Making csf to work like dos deflate?

Portal Home > Knowledgebase > Articles Database > Making csf to work like dos deflate?

Posted by linuxfan, 09-06-2009, 07:54 PM
I installed ddos deflate,and it worked fine half hour until suddenly port 80 stopped to work.These lead to disaster where i accidentally screwed network on server,but after 2.5 hours of downtime i managed to restore things properly.Now i turned off iptables,and plan to install csf(config system firewall as webmin plugin).I readed somewhere here how csf can also be configured to block ip's with defined number of max connections,so technically it doing same job as dos deflate?Also someone said how that cant help if its hard ddos attack,how csf file will be overloaded with toomuch ip addressees.But i don't realty except to block hard ddos attacks,i think it will do job against low and medium ddos attacks if server have strong network port/hardware and software optimization.And primarily what is most important,to block bots. So post your experiences with csf here.
Posted by Ore Stone Radio, 09-07-2009, 10:22 AM
csf works well, we have it on all our servers. Lots of IP addresses get blocked by csf and lfd everyday. All the details for csf are in the readme.
Posted by khunj, 09-07-2009, 12:29 PM
CSF is a script for iptables, therefore you must have iptables up and running !
Posted by linuxfan, 09-07-2009, 02:01 PM
I know,but now i don't dare to proceed simply beacuse of this situation with ddos deflate.But still bots must be blocked.
Posted by inspiron, 09-08-2009, 08:15 AM
Apf firewall also work great against the doss deflate for banning the IPs.
Posted by eth10, 09-08-2009, 11:26 AM
PORTFLOOD = "80;tcp;100;5" There is a option called PORTFLOOD wiich will block the IP once it reaches max connection simultaneously.
Posted by linuxfan, 09-08-2009, 03:28 PM
Ok next question:how to define to which mail send alerts?Right now it sends to root mail adress. And how to whitelist ip's,i mean i have another server which connect to this server(serves as image hotlink)so that generate a lot of connections. Last edited by linuxfan; 09-08-2009 at 03:38 PM.
Posted by Ore Stone Radio, 09-08-2009, 03:30 PM
Just edit etc/aliases and define where root emails go...
Posted by linuxfan, 09-08-2009, 03:50 PM
This one: postmaster: root Should i do something like: root : mail@domain.com
Posted by Ore Stone Radio, 09-08-2009, 03:57 PM
Yep you got it root:mail@domain.com Looks right
Posted by linuxfan, 09-08-2009, 04:03 PM
Ok next question: How to set whitelist ip list,which means that ip can do anything you want on server.
Posted by Ore Stone Radio, 09-08-2009, 04:11 PM
Just add the ip address to the allow list. Are you using csf or apf now?
Posted by linuxfan, 09-08-2009, 04:24 PM
Csf,but it is disabled right now.I want to be 100% sure how everything will work as it should to prevent blocking of http server or anything other important.
Posted by Ore Stone Radio, 09-08-2009, 04:29 PM
I think you need to add your ip address to the csf.allow and csf.ignore files. I am not in front of a computer at the moment so that is off the top of my head. If you have the webmin module for csf do it in there.
Posted by linuxfan, 09-08-2009, 04:34 PM
Yes i noticed those two files in csf directory,in first one says how that is whitelist for csf and other for ldf,so to make it work completely both files need to be edited. Next question: I noticed csf support dyndns.Right now i using host.allow in etc to allow only my ip to access ssh,but i need to edit it every 24 hours since my ip is dynamic.Would be possible to set that with csf to update automatically host allow with my ip or to recognize dyndns subdomain as my ip adress?
Posted by Ore Stone Radio, 09-08-2009, 06:07 PM
Not sure about that one sorry. Maybe someone else will have the answer..
Posted by linuxfan, 09-08-2009, 08:38 PM
Well i think i can resolve this other way. Next question: I started csf with test settings,and after starting it second time,i was not able to access webmin anymore.Any idea why?I mean that is strange since its only testing mode which should'nt block access to anything.Lucky i was able to shutdown firewall over ssh. And during test time i got warning messages about some system components like: haldaemon , rpc ,powerdns,mysql and two my scripts.First what i noticed,when my script was running under root there was no that warning,and when i switched it to user it showed.So those messages reports about excessive usage and suspicious usage.Since all those processes are legal,how do i add them to white list to prevent firewall to kill that processes?
Posted by Ore Stone Radio, 09-08-2009, 08:41 PM
When csf is in test mode it will still block access to any ports you have not added. Make sure you have 10000 (or what ever port you have put webmin on) in the TCP allowed ports list. Test mode just flushes the rules every 5 minutes, i think. Have you installed the webmin module for csf? If so there is a security test, one of the top buttons. That will give you info about thoses services. Last edited by Ore Stone Radio; 09-08-2009 at 08:43 PM. Reason: added more info
Posted by linuxfan, 09-08-2009, 08:54 PM
Yes i fixed most of red fields with security test.You think if i put ports on allow list which is used by powerdns,mysql,rpc,haldaemon and my two scripts it will stop send warnings?
Posted by Ore Stone Radio, 09-08-2009, 08:56 PM
No but you can tell it to ignore particular processes that you are using...
Posted by linuxfan, 09-08-2009, 09:10 PM
By editing csf.pignore maybe?
Posted by Ore Stone Radio, 09-08-2009, 09:19 PM
thats the one
Posted by linuxfan, 09-09-2009, 06:53 AM
Yes i see you can add executables and users there.

Add to Favourites Print this Article