Shulou(Shulou.com)06/02 Report--

This article shows you how to use CSF firewall in linux to shield malicious requests. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

About the Protection of ddos

According to the description of readme.txt, the function of ddos protection is mainly controlled by the configuration in / etc/csf/csf.conf, especially the PORTFLOOD parameter, which is generally set as follows:

# Syntax for the PORTFLOOD setting:#PORTFLOOD is a comma separated list of:port;protocol;hit count*;interval seconds#So, a setting of PORTFLOOD = "22 th TCPTIX 5 TX 300 TCP TPP 20 5 "means:#1. If more than 5 connections to tcp port 22 within 300 seconds, then block#that IP address from port 22 for at least 300 seconds after the last packet is#seen, I.E. There must be a" quiet "period of 300 seconds before the block is#lifted#2. If more than 20 connections to tcp port 80 within 5 seconds, then block#that IP address from port 80 for at least 5 seconds after the last packet is#seen, i.e. There must be a" quiet "period of 5 seconds before the block is#lifted

This can be modified according to individual needs.

About black list

Blacklist is in / etc/csf/csf.deny and can be written in a variety of ways, which are described very clearly at the top of the document:

# Copyright 2006-2017 Way tothe Web Limited# URL: http://www.configserver.com# Email: sales@waytotheweb.com#### The following IP addresses will be blocked in iptables# One IP address per line # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0 Universe 24) # Only list IP addresses Not domain names (they will be ignored) # # Note: If you add the text "do not delete" to the comments of an entry then# DENY_IP_LIMIT will ignore those entries and not remove them## Advanced port+ip filtering allowed with the following format# tcp/udp | in/out | s/d=port | s/d=ip## See readme.txt for more information regarding advanced port filtering#

A brief summary is that each line represents an ip or an ip segment (CIDR), and we can annotate or even specify ports and protocols.

Finally, remember to use the csf-r command if you want to take effect after making the changes.

Protection scheme against malicious agent request

Of course, my purpose of using this is to fundamentally solve the bandwidth problem of previous malicious agents. With this tool, you can easily control it. The ideas are as follows:

First, search Apache's log (/ var/log/apache2/access.log) to find all log entries that should be blocked (I mean all requests made by 403s).

Then, extract the ip address corresponding to each Log record.

The results are sorted and deduplicated to generate black list.

Blacklist writes to csf.deny

Restart the csf protection service.

It's super easy to implement:

The copy code is as follows:

Root@server:~# cat / var/log/apache2/access.log | grep\ 403\ | awk'{print $1}'| sort | uniq > > / etc/csf/csf.deny

You can manually check whether the result is correct, and then you can restart the service with csf-r.

The above content is how to use CSF firewall to block malicious requests in linux. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.