Connection Limit Protection

Connection limit protection configures iptables to offer protection from DOS attacks against specific ports. It can also be used as a way to simply limit resource usage by IP address to specific server services. This option limits the number of new concurrent connections per IP address that can be made to specific ports.

• This feature does not work on servers that do not have the iptables module xt_connlimit loaded.
• The protection can only be applied to the TCP protocol.
• Existing connections are not included in the count, only new SYN packets, i.e. new connections.
• Run /etc/csf/csftest.pl to check whether this option will function on the server.

Format

port;limit

Example

CONNLIMIT = "22;5,80;20"
  1. Only allow up to 5 concurrent new connections to port 22 per IP address.
  2. Only allow up to 20 concurrent new connections to port 80 per IP address.

Related Files

File Description
/etc/csf/csf.conf CONNLIMIT configuration option
/usr/local/csf/tpl/connectiontracking.txt Connection tracking alert template