| Posted by Jacob2011, 06-11-2015, 08:20 PM | | Since there're too many rules, it will take tens of seconds to restart csf, during the restarting process, is my server still secure? Thanks for the reply.
|
| Posted by net, 06-11-2015, 08:48 PM | | What do you mean if your server still secure? Restarting csf will not hurt your server.
Remember that csf alone doesn't mean your server is already secured.
|
| Posted by Server Management, 06-11-2015, 09:17 PM | | Tens of seconds to restart?... How many rules have you got within iptables?
|
| Posted by Bbnuse, 06-12-2015, 02:57 AM | | You're worried that, while CSF is restarting, you may get attacked or something? That would be a big coincidence imo. How long (in minutes) does your firewall take to restart? I if it takes more than a minute I think you're using too much rules.
About your question, I'm not completely sure, maybe a CSF guru around here knows. I definitely want to know if it keeps working while loading/removing rules.
|
| Posted by Jacob2011, 06-12-2015, 10:09 AM | | Thank you, my server is full managed, which I mean is that after I executed the command "csf -r", it takes csf tens of seconds to change the iptables, during this tens of seconds, is my server protected by csf?
|
| Posted by Jacob2011, 06-12-2015, 10:19 AM | | It seems that these rules are added by the server provider, I exported these rules to a text file( /sbin/service iptables status > csf.txt ), and found that there're more than 2000 rules to block IPs, such as
2478 DROP all -- 124.122.247.200 0.0.0.0/0
The text file it self is large than 500KB
|
| Posted by Jacob2011, 06-12-2015, 10:28 AM | | Yes, this is exactly what I mean, I know it takes too long to restart csf( it's about 1 to 2 minutes ), but the server is hardened by the server provider, it seems that it does not affect the performance( my server has two CPUs ), I just need to ensure that csf still does protect my server while restarting it.
|
| Posted by garconcn, 06-12-2015, 09:02 PM | | CSF does not protect your server during restart.
|
| Posted by HostingBig, 06-12-2015, 09:06 PM | | Csf config
FASTSTART = 1
so it does not dump all of the rules during restart
|
| Posted by SkunkEyes, 06-12-2015, 10:08 PM | | For some of them listed, wouldn't it just be easier to block by country code, therefore reducing load?
CC_DENY = "THA,CN"
|
| Posted by Jacob2011, 06-22-2015, 11:27 AM | | Many thanks to all of you, I think I can update this post now.
In the past few days the traffic of some of my sites dropped a few hundreds per day. Then I wonder whether some normal visitors are blocked by the firewall? Since there're two many rules to block IPs.
Then I find that these blocked items was defined by a file named "csf.blocklists", csf will update this file by downloading the IPs of spammers or hackers from multiple sites every day. However some of these sites are not popular, it seems that they simply update the lists from the blocked IPs of their own server. Although I do trust csf firewall and my server provider, but I don't think some of these sites are as reliable as csf or my server provider.
I disabled this list, then restart csf, now it will take only a few seconds! And if I want to enable this list again, it will just take a few seconds.
|
| Posted by weetabix, 06-22-2015, 05:09 PM | | You should consider using the ipset option in csf to use bigger blocklists than a couple of hundred IPs. Ipset can easily handle tens of thousands of IPs whithout any significant performance impact.
|
| Posted by Jacob2011, 06-22-2015, 09:41 PM | | Thank you very much, using ipset is a nice idea!
|
|
 Add to Favourites
 Print this Article
|
