Skip to main content

CWP: Rate Limit Incoming Traffic using CSF Connection Tracking Option

CSF – How to limit the number of connections per IP address (Rate Limit Incoming Traffic By CSF Connection Tracking):
The first thing that can be done to mitigate the effects of an incoming attack is to limit the number of connections per IP address. When properly configured, CSF will track the number of connections from IP address hitting the server and block IP addresses at the firewall level should they exceed a defined limit.

It’s important not to set the limit too low, as protocols such as FTP, IMAP, and even HTTP all legitimately make multiple connections. Also, remember that most companies as well as homes and public hotspots may have many different computers on their internal network which all share a single public IP address.
To set the limit on connections per IP address, scroll down to the Connection Tracking section of the Firewall Configuration page and set CT_LIMIT to the desired value.
CSF Connection Tracking
1. If you want use 150 connections per IP address as an upper limit. You may find that you need to lower or raise that number but, generally, you should never attempt to set it below about 100. So I prefer 100.
# To disable this feature, set this to 0
CT_LIMIT = "100" 
2. If the server is under attack, you also will want to disable email alerts by setting CT_EMAIL_ALERT to “0”. Otherwise, the server will send an email every time it blocks an IP address, which will only add to load on the server. But I have high capacity , So i want an alert .
# Send an email alert if an IP address is blocked due to connection tracking
3. If you want to make IP blocks permanent then set this to 1, otherwise blocks will be temporary and will be cleared after CT_BLOCK_TIME seconds
4. You also may wish to restrict rate limiting to specific ports, which can be done using the CT_PORTS setting. Multiple ports can be added in comma-separated format (with no space in between). In this example, we’re applying rate limiting only to HTTP ports:
CT_PORTS = "80,443" 
N.B: Leave this option empty to count all ports against CT_LIMIT

With these settings, any IP address that makes more than 100 connections to the web site on the standard and/or secure ports will be blocked in the firewall. By default, that will be a temporary block for 30 minutes. The CT_BLOCK_TIME setting can extend the block period, and by toggling the CT_PERMANENT setting you can arrange for the IP addresses to be blocked permanently.

Check the below snapshot for details
CSF Connection Tracking
1.Scroll to the bottom of the Firewall Configuration page and click on the Change button.
2.On the next screen, click the Restart csf+lfd button to restart the firewall with the new settings.