[csf] ConfigServer Security & Firewall

[Kloxo-DR]

Hello Mustafa,

Sad to know what happened with the forum and crash...

I found that following would be so fantastic to have it integrated in Kloxo-MR as a builtin package:

http://configserver.com/cp/csf.html

In particular, I found the "Port Flood Protection" as one of the MOST IMPORTANT TOOL to block connections EVEN BEFORE THE SPAMDYKE plays its role.

I have configured as follows:

PORTFLOOD = 22;tcp;1;60,25;tcp;3;60,80;tcp;10;60

---> 25;tcp;3;60

which means that the csf (firewall) shall allow within 60 sec. ONLY THREE CONNECTIONS from a particular IP on Port 25.

Spamdyke will not even be activated for processing as csf blocks the connection activity so beautifully.

Since many days, I see port flooding on 25 port. Hence, this solution is a must.

Kloxo-MR comes must later. In the sequence, CSF ---> spamdyke ---> Qmail/Kloxo-MR.

[MRatWork]

I am still thinking using other firewall (csf or iptables) is useless.

Enough using lxguard and nginx/hiawatha (proxy or standalone).

[chrisf]

Your settings for HTTP (port 80) are too restrictive.  If you or your clients are running a CMS ten connections is not enough in a 60 second block.  Reason is every connection from the browser counts.  This includes asynchronous loading of JavaScript, images, CSS files, etc.  I would set that no lower than 75.  If it is an attack, 75 will easily catch your attack.  For social sites (clients) I keep the number on those servers are 125.

A simple Ajax based chat script will hit 10 and then block your clients customers falsely.

[Kloxo-DR]

Hello Chris,

In fact I was just playing on my test server and now need to copy csf to production /etc.

What a valuable piece of advise!

Thanks.

[Kloxo-DR]

Hi Mustafa,

I am still thinking using other firewall (csf or iptables) is useless.
Enough using lxguard and nginx/hiawatha (proxy or standalone).

Of course both have some protection in built in them.

However csf has features that are not inbuilt in lxguard or nginx/hiawatha.

It is just very wrong to be too proud of a software, where use of other software with advanced features are not only just helpful but INEVITABLE!

I just think csf is inevitable. There is no chance that lxguard or nginx/hiawatha could be any closer to functionality offered by csf firewall.

However, it is your decision tto not to integrate it tighetly in kloxo-mr.

It is integrated in zPanel, though.