Fli
08-21-2017, 10:04 PM
I have cPanel/WHM server with CSF(firewall) and i wanted to set right PORTFLOOD value in CSF config file (/etc/csf/csf.conf).
I am not aware what is optimal setting in case of my website and here is how i would find right value. I welcome if you share better way to do so. So here is how:
Open https://tools.pingdom.com or http://gtmetrix.com to see:
1. how many requests (sometimes called GET requests) your site produce.
2. how many seconds it takes to load that site
Edit CSF configuration file /etc/csf/csf.conf, PORTFLOOD variable for port 80 and 443 to match this.
Example i found 50 requests done in 5 seconds so i edit that variable like this:
22;tcp;2;300,80;tcp;50;5,443;tcp;50;5,110;tcp;20;2 ,143;tcp;20;5,993;tcp;20;2,995;tcp;20;2
If site visitor will have fast internet with low latency and will browse your site aggressively page after page he may exceed the limit.
If that happen then another CSF funtion takes place - "Port Scan Tracking"
I have it set this way:
PS_INTERVAL: 300
PS_LIMIT: 10
PS_BLOCK:TIME: 3600
it means that it will ban aggressive web (port 80 or 443) visitor for 3600 seconds if it reach PORTFLOOD limit (50 connections in 5 seconds in our example) more than 10 times in 300 seconds.
After saving CSF config file, it is good to verify if it works by aggressively browsing hosted website while watching CSF/LFD and syslog log file:
tail -f {/var/log/lfd.log,/var/log/messages}|grep "MyIPHere"
(make sure these files exist and MyIPHere discover at www.myip.ms (http://www.myip.ms), make sure IP is whitelisted in /etc/csf/csf.ignore and /etc/csf/csf.allow so not to get banned)
(first path is the path of the access log file; MyIPHere is what i discovered when opening www.myip.ms; (http://www.myip.ms;) that whole command monitors log files and shows only log entries matching my IP)
PS: to shown even web server requests, one may try:
tail -f {/home/cpanelusernamehere/access-logs/mydomain.com,/var/log/lfd.log,/var/log/messages}|grep "MyIPHere"
Possible log entries:
*Port Scan* detected from My IPHere (NL/Netherlands/-). 11 hits in the last 106 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
NOTE that robots like Googlebot can browse site faster, one may whitelist Google IP ranges in CSF and define following line in .htaccess file to set 3 seconds delay before polite robot crawl next page:
Crawl-timeout: 3
Best is to set high limits and then continuously decrease them watching lfd.log for "*Port Scan* detected" and if it start banning human visitors it is time to stop tightening limits.
I am sure my way is not ideal, do you have better and simpler idea how to tune PORTFLOOD/Port scan for webserver?
I am not aware what is optimal setting in case of my website and here is how i would find right value. I welcome if you share better way to do so. So here is how:
Open https://tools.pingdom.com or http://gtmetrix.com to see:
1. how many requests (sometimes called GET requests) your site produce.
2. how many seconds it takes to load that site
Edit CSF configuration file /etc/csf/csf.conf, PORTFLOOD variable for port 80 and 443 to match this.
Example i found 50 requests done in 5 seconds so i edit that variable like this:
22;tcp;2;300,80;tcp;50;5,443;tcp;50;5,110;tcp;20;2 ,143;tcp;20;5,993;tcp;20;2,995;tcp;20;2
If site visitor will have fast internet with low latency and will browse your site aggressively page after page he may exceed the limit.
If that happen then another CSF funtion takes place - "Port Scan Tracking"
I have it set this way:
PS_INTERVAL: 300
PS_LIMIT: 10
PS_BLOCK:TIME: 3600
it means that it will ban aggressive web (port 80 or 443) visitor for 3600 seconds if it reach PORTFLOOD limit (50 connections in 5 seconds in our example) more than 10 times in 300 seconds.
After saving CSF config file, it is good to verify if it works by aggressively browsing hosted website while watching CSF/LFD and syslog log file:
tail -f {/var/log/lfd.log,/var/log/messages}|grep "MyIPHere"
(make sure these files exist and MyIPHere discover at www.myip.ms (http://www.myip.ms), make sure IP is whitelisted in /etc/csf/csf.ignore and /etc/csf/csf.allow so not to get banned)
(first path is the path of the access log file; MyIPHere is what i discovered when opening www.myip.ms; (http://www.myip.ms;) that whole command monitors log files and shows only log entries matching my IP)
PS: to shown even web server requests, one may try:
tail -f {/home/cpanelusernamehere/access-logs/mydomain.com,/var/log/lfd.log,/var/log/messages}|grep "MyIPHere"
Possible log entries:
*Port Scan* detected from My IPHere (NL/Netherlands/-). 11 hits in the last 106 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
NOTE that robots like Googlebot can browse site faster, one may whitelist Google IP ranges in CSF and define following line in .htaccess file to set 3 seconds delay before polite robot crawl next page:
Crawl-timeout: 3
Best is to set high limits and then continuously decrease them watching lfd.log for "*Port Scan* detected" and if it start banning human visitors it is time to stop tightening limits.
I am sure my way is not ideal, do you have better and simpler idea how to tune PORTFLOOD/Port scan for webserver?