linux USES the CSF firewall to block malicious requests

The problem
Recently, I do not know why, the number of requests from malicious agents is increasing, even though I return 403Forbidden, but because the number is so large, it still consumes a lot of my bandwidth and resources. The previous method is no longer useful, I'd like to study the firewall for a long time. Although Apache can also blacklist some IP, I still feel a bit troublesome. For example, the most common use of iptables, or ufw, although they can be well managed, but they basically need to add one item after another, 10 points of trouble.

A search on the Internet has found a handy gadget & Security Firewall). This tool is said to be able to manage IP blacklist easily, and can also be configured to resist 1 quantitative DDOS attack.

The installation
The tool itself can be downloaded from the csf Tool website.

You can refer to it after downloading and unzipping install.txt The instructions for installation, speak concisely and in detail, pay attention to the permissions on the line. It should be noted that this tool is also based on iptables, but simply simplifies the commands.

Protection against ddos

According to readme. txt description, ddos protective function mainly depends on/etc csf/csf conf configuration in control, particularly among PORTFLOOD parameters, 1 kind has the following Settings:

#Syntax for the PORTFLOOD setting:
#PORTFLOOD is a comma separated list of:
port;protocol;hit count*;interval seconds
#So, a setting of PORTFLOOD = "22;tcp;5;300,80;tcp;20;5" means:
#1. If more than 5 connections to tcp port 22 within 300 seconds, then block
#that IP address from port 22 for at least 300 seconds after the last packet is
#seen, i.e. there must be a "quiet" period of 300 seconds before the block is
#lifted
#2. If more than 20 connections to tcp port 80 within 5 seconds, then block
#that IP address from port 80 for at least 5 seconds after the last packet is
#seen, i.e. there must be a "quiet" period of 5 seconds before the block is
#lifted

This can be modified to suit individual needs.

About black list

blacklist in/etc csf/csf deny, can have a variety of writing, described in this document at the top of the 10 points clear:

###############################################################################
# Copyright 2006-2017, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be blocked in iptables
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#
# Note: If you add the text "do not delete" to the comments of an entry then
# DENY_IP_LIMIT will ignore those entries and not remove them
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
#
# See readme.txt for more information regarding advanced port filtering
#

The shorthand is that each line represents one ip, or one ip paragraph (CIDR), and we can also annotate, or even specify ports and protocols.
Finally, remember to use it if you want to take effect after making a change csf -r Command.

Protection against malicious agent requests

Of course, I use this to solve the problem of bandwidth hog by malicious agents. With this tool, you can easily control it in 10 minutes. The idea is as follows:

First of all, search Apache log (/ var/log/apache2 / access log), should find all blocked log entries (I here refers to all the 403 requests). Then, extract the corresponding ip address for each Log record. Sort and de-weight the results to generate black list. Write csf blacklist deny Restart the csf protection service.

It's super easy to implement:

root@server:~# cat /var/log/apache2/access.log |grep \ 403\ |awk '{print $1}'|sort|uniq >> /etc/csf/csf.deny

You can check whether the result is correct manually. It can be done after confirmation csf -r Restart service.