Hi Linux Techs,
We can try to protect our servers from TCP/UDP flooding on any port either DNS or http or SSH or any port with the help of CSF on Linux servers.
Install CSF on Linux servers with cpanel or without any panel.
For centos/fedora/redhat 7 minimal install install below packages
yum -y install perl-libwww-perl with unzip bind-utils
- wget https://download.configserver.com/csf.tgz
- tar -xzf csf.tgz
- cd csf
- For without cpanel servers
- sh install.sh
- For cpanel servers
- sh install.cpanel.sh
- Open Csf config file to change its mode to production.
- vim /etc/csf/csf.conf
- Change testing mode from 1 to 0.
- csf –r
Now CSF firewall is installed and enabled.
To allow any IP for all traffic
- csf –a IPaddress
To deny any IP for all traffic
- csf –d IPaddress
Port Flood Protection
This option configures iptables to offer protection from DOS attacks against
specific ports. This option limits the number of connections per time interval
that new connections can be made to specific ports.
This feature does not work on servers that do not have the iptables module
ipt_recent loaded. Typically, this will be with Monolithic kernels. VPS server
admins should check with their VPS host provider that the iptables module is
By default ipt_recent tracks only the last 100 IP addresses. The tracked IP
addresses can be viewed in /proc/net/ipt_recent/* where the port number is the
Syntax for the PORTFLOOD setting:
PORTFLOOD is a comma separated list of:
port;protocol;hit count*;interval seconds
So, a setting of PORTFLOOD = “53;tcp;5;300,80;tcp;20;5” means:
1. If more than 5 connections to tcp port 53 within 300 seconds, then block
that IP address from port 22 for at least 300 seconds after the last packet is
seen, i.e. there must be a “quiet” period of 300 seconds before the block is
2. If more than 20 connections to tcp port 80 within 5 seconds, then block
that IP address from port 80 for at least 5 seconds after the last packet is
seen, i.e. there must be a “quiet” period of 5 seconds before the block is
More information about the ipt_recent module can be found in the iptables man
page and at http://snowman.net/projects/ipt_recent/
Note: Blocked IP addresses do not appear in any of the iptables chains when
using this module. You must manipulate the /proc/net/ipt_recent/* files as per
the module documentation to view and remove IP addresses that are currently
blocked if the blocks have not yet expired.
Restarting csf resets the ipt_recent tables and removes all of its blocks.
Note: There are some restrictions when using ipt_recent:
1. By default it only tracks 100 addresses per table (we try and increase this
to 1000 via modprobe)
2. By default it only counts 20 packets per address remembered
*This means that you need to keep the hit count to below 20.
If you have any issue to do the same or any query please reply to this post.