Been fighting off mostly small DoS attacks here and there, and wanted some comments on my current setup.
Key sections in CSF.CONF:
Code: # Enable SYN flood protection. This option configures iptables to offer some
# protection from tcp SYN packet DOS attempts. You should set the RATE so that
# false-positives are kept to a minimum otherwise visitors may see connection
# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
# man page for th1 correct --limit rate syntax
SYNFLOOD = "1"
SYNFLOOD_RATE = "5/s"
SYNFLOOD_BURST = "40"
Code: # Connection Tracking. This option enables tracking of all connections from IP
# addresses to the server. If the total number of connections is greater than
# this value then the offending IP address is blocked. This can be used to help
# prevent some types of DOS attack.
#
# Care should be taken with this option. It's entirely possible that you will
# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
# and HTTP so it could be quite easy to trigger, especially with a lot of
# closed connections in TIME_WAIT. However, for a server that is prone to DOS
# attacks this may be very useful. A reasonable setting for this option might
# be arround 200.
#
# To disable this feature, set this to 0
CT_LIMIT = "60"
# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans
CT_INTERVAL = "1"
What I'm trying to do is get it sensitive as possible, with out losing too many legit visitors.
|