AWS Monster | Your Technical Partner

There is no practical way to actually prevent Dos / DDoS attacks, because your server is connected to the internet. When you are connected to the internet, even with a simple local PC computer you are exposed to remote attacks. The only thing you can do is to mittigate its effects. When you are under ddos and trying to mitigate the attack, the server will not respond normally, it will get slower than usual, it can often appear down temporary while the attack is decreasing. On large-volume attacks your provider can even null-route the server IP address to avoid from overload their entire network. Can CSF firewall help me to stop only small / medium attacks? Why not large attacks? Beacuse of the way DDOS works. For very large and distributed attacks, you must use a dedicated firewall, or an specialized antiddos shield that works on network level inside the datacenter where you are hosted, or you can use 3rd party anti-ddos services like Cloudflare, Incapsula or Level3 AntiDDOS servi

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are common threats that every publicly accessible web server faces. The purpose of such attacks, in simplest terms, is to flood a server with connections, overloading it and preventing from accepting legitimate traffic. Step #1: SYNflood Protection A SYNflood attack is a DoS attack exploiting the TCP (Transmission Control Protocol) connection process itself. In basic terms, a TCP connection is established using a three-way handshake: The client (incoming connection) sends a synchronization packet (SYN) to the server. The server responds with a synchronization acknowledgement (SYN/ACK) to the client. The client then responds with an acknowledgement (ACK) back to the server. A SYNflood attack manipulates that three-way handshake by initiating multiple synchronization requests and then refusing to respond with any final acknowledgements. On a Linux server, you can quickly check for SYN packets by running thi

Restricting access by port to IP addresses originating in a specific country or countries can be an effective way to help minimize the negative performance impact that country-level blocking can bring. In this example , we’re blocking access to the FTP Ports (20,21) & SMTP Ports(25,110,143,465,587,993,995)   to IP addresses originating in Belgium & Bulgaria. Step #1: Specify the Country or Countries to be Denied Scroll down to the Country Code Lists and Settings section and add the country code to CC_DENY_PORTS . Multiple countries can be comma separated with no spaces in between, and you can find a list of ISO 3166-1 alpha-2 codes at https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2. List the port that will be blocked in the specified country in the CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP fields. Step #2: Save Your Changes and Restart the Firewall Scroll to the bottom of the Firewall Configuration page and click on the Change button. On the next screen, click the R

I have some listed ports for my services management and I want that listed ports only accessible from my country. Yes, you can choose to allowing incoming traffic by port to only a specific country or countries. Generally, this should be a better option than attempting to deny port access to a long list of countries because the firewall be working with a smaller CIDR range against which each incoming request must be checked. My Listed Ports: 22,2030,2031,2086,2087,5550,55004,1025 To limit the ability to connect on a specific port or ports to visitors with IP addresses originating in a specific country or countries, you must: close the ports in the firewall define the country code allowed to connect on those blocked ports specify the blocked ports to be opened for the specified country In this example, we’re allowing access to above  My Listed Ports , to IP addresses based in My Country ( Germany). Step #1: Close the Ports in the Firewall On the Firewall Configuration page,

CSF (ConfigServer Firewall) on a Linux system and you block a lot of IP addresses. Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF's iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset. This option allows you to use ipset v6+ for the following csf options: CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny, GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER ipset will only be used with the above options when listing IPs and CIDRs. Advanced Allow Filters and temporary blocks use traditional iptables. To use this option you must have a fully functioning installation of ipset installed either via rpm or source from http://ipset.netfilter.org/ It’s a straight forward process. CentOS, Red Hat and Fedora (yum based) users : # yum install ipset -y Ubuntu or Debian: # sudo

Connection Limit Protection: This option configures iptables to offer more protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of concurrent new connections per IP address that can be made to specific ports This feature does not work on servers that do not have the iptables module xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS server admins should check with their VPS host provider that the iptables module is included Note: Run /etc/csf/csftest.pl to check whether this option will function on this server Step: Go to your CSF WebUI Panel and Select " Port Flood Settings" : You can set limit for the number of connections to particular port by altering the value “CONLIMIT”. CONNLIMIT = 80;20,443;15 The above value will limit only 20 connections to the port 80 and 15 connections to the port 443 from singl

Getting CSF Firewall error after CSF Updating . From 2019-12-29, MaxMind REQUIRES you to create an account on their site and to generate a license key to use their databases. Run the following Command: # csf -ra Error Country Code Lookups setting MM_LICENSE_KEY must be set in /etc/csf/csf.conf to continue using the MaxMind databases You MUST set the following to continue using the IP lookup features of csf, otherwise an error will be generated and the features will not work. Visit the following website to create new account (https://www.maxmind.com/en/geolite2/signup) and update your billing address and issue your Licence key for CSF firewall. Now Edit your CSF configuration file & use your Key. # vi /etc/csf/csf.conf MM_LICENSE_KEY = "your licence key" CC_SRC = 1 See: https://blog.configserver.com/?p=3216 https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

Country-level filtering in CSF uses the Maxmind GeoLite Country database to obtain CIDR (Classless Inter-Domain Routing) ranges for specific countries. Each CIDR range covers all the IP addresses assigned to that country. There are a number of reasons why a server administrator may wish to block traffic from a specific country, with reducing bandwidth, minimizing exposure to security risks, and ensuring that a site’s content is viewable only in geographic locations where it is permitted among the most common. However, there are several important factors to consider before choosing to filter traffic at the country level: A small percentage of unwanted traffic still may get through, and a small percentage of desired traffic could be blocked, because: the CIDR range lists used for country-level blocks are not 100 percent accurate. some Internet Service Providers and web services use non-geographic IP addresses for their clients. proxy services and virtual private networks can be us

CSF – How to limit the number of connections per IP address (Rate Limit Incoming Traffic By CSF Connection Tracking): The first thing that can be done to mitigate the effects of an incoming attack is to limit the number of connections per IP address. When properly configured, CSF will track the number of connections from IP address hitting the server and block IP addresses at the firewall level should they exceed a defined limit. It’s important not to set the limit too low, as protocols such as FTP, IMAP, and even HTTP all legitimately make multiple connections. Also, remember that most companies as well as homes and public hotspots may have many different computers on their internal network which all share a single public IP address. To set the limit on connections per IP address, scroll down to the Connection Tracking section of the Firewall Configuration page and set CT_LIMIT to the desired value. 1. If you want use 150 connections per IP address as an upper limit. You m

This perl module is required for Statistical Graphs available from the csf UI. It is dependent on graphical libraries being installed for your OS (e.g. libgd, libpng, etc. which is beyond the scope of this document) The perl module itself can be installed in a variety of ways, e.g.: RedHat/CentOS/CloudLinux: # yum install perl-GDGraph Direct from cpan.org: # perl -MCPAN -e shell cpan> install GD::Graph Webmin Module Installation/Upgrade Webmin > Webmin Configuration > Webmin Modules > From local file > /usr/local/csf/csfwebmin.tgz > Install Module Uninstallation : Removing csf and lfd is even more simple: # cd /etc/csf # sh uninstall.s The Article Based on: https://download.configserver.com/csf/install.txt

Access CSF UI on your browser with the specified port and click on "Check Server Security" . CSF will provide you some tips to secure your server . After that now check the report below: # vi /etc/ssh/sshd_config Port 22XX UseDNS no # systemctl restart sshd # vi /etc/my.cnf [mysqld] local-infile=0 # systemctl restart mariadb You can also enable 'RESTRICT_SYSLOG option check, LF_POP3D option check, LF_IMAPD option check, SYSLOG_CHECK option check, RESTRICT_UI option check, Check SSH PasswordAuthentication'.   This option helps prevent brute force attacks on your server services RESTRICT_SYSLOG = "3" LF_POP3D = "3" LF_POP3D_PERM = "1" LF_IMAPD = "3" LF_IMAPD_PERM = "1" SYSLOG_CHECK = "300" Important setting for me : #vi /etc/csf/csf.conf TESTING = "0" Don't Block IP addresses that are in the csf.allow files. IGNORE_ALLOW = "1" ICMP_IN = "1" ICMP_OUT = &qu

CSF Web UI required some of Perl modules to be installed on your system. Use the following commands to check the required modules are installed operating system. If not present please install those packages . # yum info perl-IO-Socket-SSL.noarch perl-Net-SSLeay perl-Net-LibIDN perl-IO-Socket-INET6 perl-Socket6 To enable CSF web UI edit /etc/csf/csf.conf file # vi /etc/csf/csf.conf # 0 = Unrestricted UI # 1 = Restricted UI # 2 = Disabled UI RESTRICT_UI = "0" # 1 to enable, 0 to disable UI = "1" # Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's # to the port using Advanced Allow Filters (see readme.txt) UI_PORT = "1025" # Leave blank to bind to all IP addresses on the server UI_IP = "" # This should be a secure, hard to guess username # This must be changed from the default UI_USER = "admin" # This must be changed from the default UI_PASS = "adminX" edit /etc/csf/ui/ui.allow configurat

CSF is an application-based firewall for iptables provided for Linux servers. CSF has many features and can support web-based management tools like CWP, cPanel/WHM, DirectAdmin and Webmin. CSF is easy to install and use on the server, it makes security management easier for sysadmins. To add more power to this, it comes with a Login Failure Daemon (LFD) script that runs all the time to scan for failed attempts to login to the server to detect bruteforce-attacks. There are an array of extensive checks that lfd can perform to help alert the server administrator of changes to the server, potential problems and possible compromises. LFD also blocks IPs if a huge number of failed logins are appearing from that IP. The block is temporary. It also allows the admin to view the blocked IP by enabling an email alert service. Some of the features include: Login Tracking Process Tracking Directory Watching Advanced Allow/Deny features Block Reporting Port Flood Protection ....etc Befo