This article is to set the CSF firewall so that any DDOS intentional attack on your server can be prevented.
Step 1: Open and edit the CSF config file.
vi /etc/csf/csf.conf
Settings:
Enable connection tracking.
CT_LIMIT is the max number of connections allowed from one IP, you can set this value as per your server requirement.
CT_LIMIT =100
Set connection tracking interval.
CT_INTERVAL =30
If you want to get a possible DDoS attack email then enable it.
CT_EMAIL_ALERT =1
If you want to make IP blocks permanent then set this to 1, otherwise blocks
will be temporary and will be cleared after CT_BLOCK_TIME seconds
CT_PERMANENT = 1
If you opt for temporary IP blocks for CT, then the following is the interval
in seconds that the IP will remain blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = 36000
If you only want to count specific ports (e.g. 80,443) then add the ports
to the following as a comma-separated list. E.g. “80,443”
CT_PORTS = 80,23,443
These settings will be enough for DDOS attacks but if you are getting more attacks even you have above option configured then we can set few more options.
Step 2: Enable distributed attacks
LF_DISTATTACK = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTATTACK
LF_DISTATTACK_UNIQ = 2
Step 3: Enable distributed FTP attacks
LF_DISTFTP = 1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
LF_DISTFTP_UNIQ = 3
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTFTP_PERM =1
Step 4: Enable distributed SMTP attacks.
LF_DISTSMTP =1
Set the following to the minimum number of unique IP addresses that trigger
LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
LF_DISTSMTP_UNIQ =4
If this option is set to 1 the blocks will be permanent
If this option is > 1, the blocks will be temporary for the specified number
of seconds
LF_DISTSMTP_PERM =1
This is the interval during which a distributed FTP or SMTP attack is
measured
LF_DIST_INTERVAL = 300