csf/firewall Installation and Port Flood (DDos) Protection by CSF on Linux server

Hi Linux Techs,


We can try to protect our servers from TCP/UDP flooding on any port either DNS or http or SSH or any port with the help of CSF on Linux servers.


Install CSF on Linux servers with cpanel or without any panel.


For centos/fedora/redhat 7 minimal install install below packages

yum -y install perl-libwww-perl with unzip bind-utils

  • wget https://download.configserver.com/csf.tgz
  • tar -xzf csf.tgz
  • cd csf
  • For without cpanel servers
  • sh install.sh
  • For cpanel servers
  •  sh install.cpanel.sh


  • Open Csf config file to change its mode to production.
  • vim /etc/csf/csf.conf
  • Change testing mode from 1 to 0.
  • csf –r


Now CSF firewall is installed and enabled.

To allow any IP for all traffic

  • csf –a  IPaddress


To deny any IP for all traffic

  • csf –d IPaddress



Port Flood Protection



This option configures iptables to offer protection from DOS attacks against

specific ports. This option limits the number of connections per time interval

that new connections can be made to specific ports.


This feature does not work on servers that do not have the iptables module

ipt_recent loaded. Typically, this will be with Monolithic kernels. VPS server

admins should check with their VPS host provider that the iptables module is



By default ipt_recent tracks only the last 100 IP addresses. The tracked IP

addresses can be viewed in /proc/net/ipt_recent/* where the port number is the



Syntax for the PORTFLOOD setting:


PORTFLOOD is a comma separated list of:

port;protocol;hit count*;interval seconds


So, a setting of PORTFLOOD = “53;tcp;5;300,80;tcp;20;5” means:


1. If more than 5 connections to tcp port 53 within 300 seconds, then block

that IP address from port 22 for at least 300 seconds after the last packet is

seen, i.e. there must be a “quiet” period of 300 seconds before the block is



2. If more than 20 connections to tcp port 80 within 5 seconds, then block

that IP address from port 80 for at least 5 seconds after the last packet is

seen, i.e. there must be a “quiet” period of 5 seconds before the block is



More information about the ipt_recent module can be found in the iptables man

page and at http://snowman.net/projects/ipt_recent/


Note: Blocked IP addresses do not appear in any of the iptables chains when

using this module. You must manipulate the /proc/net/ipt_recent/* files as per

the module documentation to view and remove IP addresses that are currently

blocked if the blocks have not yet expired.


Restarting csf resets the ipt_recent tables and removes all of its blocks.


Note: There are some restrictions when using ipt_recent:


1. By default it only tracks 100 addresses per table (we try and increase this

to 1000 via modprobe)


2. By default it only counts 20 packets per address remembered


*This means that you need to keep the hit count to below 20.


If you have any issue to do the same or any query please reply to this post.

4 Responses

  1. Yogendra Rathore
    Yogendra Rathore at | | Reply

    Very nice security tips .

  2. Shubham
    Shubham at | | Reply

    good . tell me about apache and tomcat topic

  3. Dinesh
    Dinesh at | | Reply

    nice article….keep it up..

Leave a Reply