Webmasters should check if ConfigServer Security & Firewall (csf) and Login Failure Daemon (lfd) are choking and throttling your site traffic? Most web hosting setups run ConfigServer Security & Firewall (CSF) – a very popular, highly recommended and excellent firewall, login/intrusion detection and security application for Linux servers.
Add to it the power of Login Failure Daemon (lfd), a process that scans the latest log file entries for login attempts against your server that continually fail within a short period of time and blocks offending IP’s quickly – and you have a very powerful tool against hackers. We also use ConfigServer Security Firewall (CSF) on our Knownhost web hosting, and believe me it is so simple to block your site traffic and if you are not alerted, you might never know.
CSF ConfigServer Security & Firewall Settings
After our hacking episode, we got more aware and learned a lot about the WHM and server settings. An important setting is Connection Tracking Limit or CT_Limit. If you have root access, you can login to your WHM > Plugins > ConfigServer Security & Firewall > Firewall Configuration
Then browse the long list of options and look for CT_Limit. Check what your CT_Lmit looks like.
If the limit is set to 0, then the feature is disabled. BTW this is the default setting. But if a value of lets says 50 is there, it means that if the total number of connections is greater than 50 – the offending IP address is blocked. Now this IP may not necessarily be offending. If you have a high traffic site, you may want to keep higher limits.
In their own words
Connection Tracking. This option enables tracking of all connections from IP addresses to the server. If the total number of connections is greater than this value then the offending IP address is blocked. This can be used to help# prevent some types of DOS attack. Care should be taken with this option. It’s entirely possible that you will see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD and HTTP so it could be quite easy to trigger, especially with a lot of closed connections in TIME_WAIT. However, for a server that is prone to DOS attacks this may be very useful. A reasonable setting for this option might be around 300.
Though CSF itself suggests a value of 300, but most web hosts will keep it low. This helps to prevent DOS attacks on a server and is very useful. Now what is great is that when an IP is blocked, CSF will send you email alerts with subjects like – lfd on host.domain.com: IP (source) blocked with too many connections
When we had put a limit of 50, our email inbox was full of hundreds of these alerts everyday. Hundreds of IP addresses were getting blocked and many complained later they were valid users and the site was unavailable to them.
And then the email reveals which IP is blocked and cannnot connect to your site. Fortunately this a temporary block.
Morever, whenever the CSF-LFD tried to block these IPs, there were high resource usage alerts on the web server. Remember raising the limit too much does not serve the purpose for which it was intended. For high traffic blogs, maybe you need to keep the limits higher. So change the CT_Limit and restart CSF to set the new limits.
Now remember it is easy to disable these email alerts. So if your hosting has set you at a very low CT_limit and you don’t get alerts, you have no idea how many valid IP addresses may be getting blocked reducing your site traffic. Shared hosting users never have root access and can never see the settings, while VPS hosting packages and above have root access / WHM access and can check their ConfigServer Security Firewall (CSF) settings.
NOTE: I am not an expert in server management, csf, lfd and server security. The above views represent what we noted as a webmaster and which might be useful information to you. Manipulation of CSF-LFD settings can make your site unusable very easily. Seek professional help from hosting technical support before messing up your settings.