How to prevent DoS attack on server using IPTables or CSF

DOS is the abbreviation of Denial Of Service. It’s an attempt to make the server network resources unavailable to its intend users. We can identify it by checking if there any packet loss on the server simply by using PING. Normally the attack is originated from the same IP address but in some strange situations the attackers may use multiple IPs for DOS.

By using the advantages of iptables and or CSF we can simply avoid the DOS attack from external connections. To configure the iptables to prevent DOS you must have a well knowledge in iptables configuration. But, you can simply mange it from the CSF. Here I am comparing the two ways (ie, iptables and CSF) to prevent DOS on Linux servers.

How to configure iptables to prevent DOS attack?

You must know the following iptables switches to configure the server to prevent from DOS

-A : Append
-p : Protocol
--dport : For ports
-m limit : To limit iptables extension
--limit 25/minute : Defines maximum of 25 connection per minute.
--limit-burst 100 : The limit/minute will be enforced only after the total number of connection have reached the limit-burst level, ie 100 here.
-j : Target

IPTable rule:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT


[email protected] [~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
acctboth   all  --  
ACCEPT     tcp  --             tcp dpt:80 limit: avg 25/min burst 100

How to setup server to prevent DOS attack by using the CSF ?

It’s quite easy comparing to iptables configuration. By using CSF we can simply setup an iptable rule for preventing DOS attack. There is a directive in CSF configuration file CT_LIMIT to define the number of connection from an IP address.

Step I : SSH to server as root user.
Step II : Open the CSF conf file using your favorite editor and add the CT_LIMIT value.

vi /etc/csf/csf.conf
# To disable this feature, set this to 0
CT_LIMIT = "50"

Where 50 is the maximum number of connections from an IP address. You need to specify the port number also.

vi /etc/csf/csf.conf
# Leave this option empty to count all ports against CT_LIMIT
CT_PORTS = "80,53,22"

Step III : Restart the CSF

csf -r

That’s it 🙂

Other useful CT options available in CSF:

# Connection Tracking interval. Set this to the the number of seconds between
# connection tracking scans

# Send an email alert if an IP address is blocked due to connection tracking

# If you want to make IP blocks permanent then set this to 1, otherwise blocks
# will be temporary and will be cleared after CT_BLOCK_TIME seconds

# If you opt for temporary IP blocks for CT, then the following is the interval
# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
CT_BLOCK_TIME = "1800"

# If you don't want to count the TIME_WAIT state against the connection count
# then set the following to "1"

# If you only want to count specific states (e.g. SYN_RECV) then add the states
# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
# Leave this option empty to count all states against CT_LIMIT

Related Links:
Login Failures and Port Scanning notices – Email alert setup for CSF
What is iptables in Linux ?
CSF commands to allow/deny IP addresses for temporary
Block/unblock an IP address in your Linux server
How to allow/block PING on Linux server

Arunlal Ashok

Sr. Linux Server Administrator. I'm managing Linux servers since 2012. I started this blog to share and discuss my ideas. Check My Profile in uPwork (oDesk) and create a job, if you need any administration help. Thanks!!

You may also like...

5 Responses

  1. handyblogger says:

    Thank you it’s useful but quite simple example. What about how to prevent ICMP or UDP flood?

  2. Michael says:

    CSF doesn’t work well for DDoS mitigation. However there are iptables rules that can mitigate DDoS attacks at high rates, check out:

  3. Dũng says:

    CSF doesn’t work well for CloudFlare. Have you try install vDDoS Protection Reverse Proxy from Layer 7 Filter Mitigate DOS, DDOS, SYN Floods, or HTTP Floods attack?

Leave a Reply

Your email address will not be published. Required fields are marked *