Port Flood Protection

Port Flood Protection configures iptables to offer protection from DOS attacks against specific ports. This option limits the number of connections per time interval that new connections can be made to specific ports.

• This feature does not work on servers that do not have the iptables module ipt_recent loaded.
• By default ipt_recent tracks only the last 100 IP addresses. The tracked IP addresses can be viewed in /proc/net/ipt_recent/* where the port number is the filename.

Format

port;protocol;hit count*;interval seconds

Example

PORTFLOOD = "22;tcp;5;300,80;tcp;20;5"
  1. If more than 5 connections to tcp port 22 within 300 seconds, then block that IP address from port 22 for at least 300 seconds after the last packet is seen, i.e. there must be a "quiet" period of 300 seconds before the block is lifted.

  2. If more than 20 connections to tcp port 80 within 5 seconds, then block that IP address from port 80 for at least 5 seconds after the last packet is seen, i.e. there must be a "quiet" period of 5 seconds before the block is lifted.

• Blocked IP addresses do not appear in any of the iptables chains when using this module. You must manipulate the /proc/net/ipt_recent/* files as per the module documentation to view and remove IP addresses that are currently blocked if the blocks have not yet expired.
• Restarting CSF resets the ipt_recent tables and removes all of its blocks.
• By default ipt_recent only tracks 100 addresses per table (we try and increase this to 1000 via modprobe).
• By default ipt_recent only counts 20 packets per address remembered.

More information about the ipt_recent module can be found in the iptables man page and at http://snowman.net/projects/ipt_recent/

Related Files

File Description
/etc/csf/csf.conf PORTFLOOD configuration option

Related Pages