ConfigServer Firewall Can Choke Your Site Traffic

Webmasters should check if ConfigServer Security & Firewall (csf) and Login Failure Daemon (lfd) are choking and throttling your site traffic? Most web hosting setups run ConfigServer Security & Firewall (CSF) – a very popular, highly recommended and excellent firewall, login/intrusion detection and security application for Linux servers.

Add to it the power of Login Failure Daemon (lfd), a process that scans the latest log file entries for login attempts against your server that continually fail within a short period of time  and blocks offending IP’s quickly – and you have a very powerful tool against hackers. We also use ConfigServer Security Firewall (CSF) on our Knownhost web hosting, and believe me it is so simple to block your site traffic and if you are not alerted, you might never know.

CSF ConfigServer Security & Firewall Settings

After our hacking episode, we got more aware and learned a lot about the WHM and server settings. An important setting is Connection Tracking Limit or CT_Limit. If you have root access, you can login to your WHM > Plugins > ConfigServer Security & Firewall > Firewall Configuration

csf configuration

Then browse the long list of options and look for CT_Limit. Check what your CT_Lmit looks like.

ct limit csf

If the limit is set to 0, then the feature is disabled. BTW this is the default setting. But if a value of lets says 50 is there, it means that if the total number of connections is greater than 50 – the offending IP address is blocked. Now this IP may not necessarily be offending. If you have a high traffic site, you may want to keep higher limits.

In their own words

Connection Tracking. This option enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this value then the offending IP address is blocked. This can be used to help# prevent some types of DOS attack. Care should be taken with this option. It’s entirely possible that you will see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD and HTTP so it could be quite easy to trigger, especially with a lot of closed connections in TIME_WAIT. However, for a server that is prone to DOS attacks this may be very useful. A reasonable setting for this option might be around 300.

Though CSF itself suggests a value of 300, but most web hosts will keep it low. This helps to prevent DOS attacks on a server and is very useful. Now what is great is that when an IP is blocked, CSF will send you email alerts with subjects like –  lfd on IP (source) blocked with too many connections

When we had put a limit of 50, our email inbox was full of hundreds of these alerts everyday. Hundreds of IP addresses were getting blocked and many complained later they were valid users and the site was unavailable to them.

LFD block

And then the email reveals which IP is blocked and cannnot connect to your site. Fortunately this a temporary block.

Morever, whenever the CSF-LFD tried to block these IPs, there were high resource usage alerts on the web server. Remember raising the limit too much does not serve the purpose for which it was intended. For high traffic blogs, maybe you need to keep the limits higher. So change the CT_Limit and restart CSF to set the new limits.

Now remember it is easy to disable these email alerts. So if your hosting has set you at a very low CT_limit and you don’t get alerts, you have no idea  how many valid IP addresses may be getting blocked reducing your site traffic. Shared hosting users never have root access and can never see the settings, while VPS hosting packages and above have root access / WHM access and can check their ConfigServer Security Firewall (CSF) settings.

NOTE: I am not an expert in server management, csf, lfd and server security. The above views represent what we noted as a webmaster and which might be useful information to you. Manipulation of CSF-LFD settings can make your site unusable very easily. Seek professional help from hosting technical support before messing up your settings.


  1. Mahendra says:

    Thank you very much sharing this valuable information.I have knownhost VPS and I was wondering for receiving these email for a long time. After reading this article, I found that it was set to 40. at the moment, I have increased it to 300 to check the result.

  2. Transporte de maquinas says:

    I had no idea that such thing was active on the WHM settings.

    I already seted mine to 300 aswell to make a test and see how my sites are affected. Hope to see some increase in traffic. Actually, any increase would be nice ^^

  3. Cyber Solutions says:

    WHM ran a automatic update 2 weeks ago. We have around 150 sites on our cloud server & people started getting blocked. We had no clue of how to fix the problem. Changed the CT_LIMIT & everything is working great. Thanks for this valuable information.

  4. Zerzar says:

    Great Post!, I had mine set to 50 and I was getting too many blocked alerts. The worst part happened today when I saw the firewall blocking msn bots! (bing). After reading this post I raised it to 300. A great tip , thanks.

  5. Ian Smith says:

    Just experienced the same problem – clients phoning/complaining about lost business because customers could not access their website.
    Set to 300 now. here’s hoping !!!!!

  6. Ian Smith says:

    Yep! Seems to work – although the Firewall had to be restarted before the changes took effect.

    Thanks !

  7. Will says:

    An experienced word of caution as an admin who has used CSF for a couple of years on multiple arrays… simply turn off Connection Tracking scans. Don’t use it. It’s a process hog and scans every IP connection. No just httpd connections. All email connections. Everything. Basically, connection tracking is such a bottleneck that you should avoid it at all costs unless you don’t mind killing your throughput.

    If your prone to DOS attacks there are other far less resource demanding ways to resolve.

    • Sampson says:

      Heed Will’s solid advice and save yourself from a throttled chock point. As a five year CSF and server admin do not use connection tracking. It’s an anchor on throughput and server response times. The unintended consequences of using it are far reaching and will touch every single thing your server does to the point that you’ll spend tons (perhaps years) of time trying to improve the affects of what connection tracking will truly do to you.

Leave a Reply

Your email address will not be published. Required fields are marked *