For ordinary people, VPS security measures need to start with preventing the most frequent threats and only later focus on the rare ones. A true DDoS attack can be impossible to mitigate for a single server – merely processing each request uses some resources, and a full-fledged attack can quickly cripple a server. For example, a recent Cloudflare DDoS attack reached a peak of 26 million requests per second! If something like that were to target your VPS server, there’s no defense.
But we can focus on the smaller, more common attacks. These are also very easy to orchestrate and so demand a response using regular security mechanisms. Luckily, VPS owners have the ConfigServer Firewall to deal with this.
ConfigServer Firewall Comes Pre-Installed on NameHero VPSs
All VPS purchases through NameHero are fully-managed. This means that the team takes care of basic security and installs and configures crucial software like web and mail servers. It also includes the ConfigServer Firewall (CSF) tool that makes monitoring and managing VPS security much easier than manually modifying IP tables.
Thanks to CSF’s easy management via a simple text file, you can block simple DDoS attacks automatically in just a few clicks. In this article, I’ll show you how to do this via the GUI instead of manually modifying text files.
Access the CSF Configuration Screen
The server I use with NameHero is InterWorx, though NameHero installs CSF on all its dashboards. For InterWorx, you can find the ConfigServer Firewall sub-section on the left-hand side. If you’re using cPanel/WHM, you should find it under the “Plugins” section. Open it and click “Firewall Configuration” like this:
This brings up the ConfigServer Firewall configuration screen.
Configure CSF to Block DDoS Attacks
Using your browser’s search function, search for “Connection Tracking”. Here are the variable values I use for my VPS:
CT_LIMIT = 150
CT_INTERVAL = 15
CT_BLOCK_TIME = 18000
CT_PORTS = 80,443
Here’s an explanation of what this means.
CT_LIMIT refers to the number of concurrent connections a particular IP address can have. If it’s higher than this number, then CSF will take action.
CT_INTERVAL is the time period in seconds at which CSF will check for the number of connections to any given IP. It’s possible that an IP address would have significantly bypassed the limit set by CT_LIMIT during this time. It can take a maximum of 15 seconds, in my case, before a DDoS attack can be stopped.
CT_BLOCK_TIME is the duration for which the relevant IP address is blocked.
CT_PORTS are the port numbers for which connections will be counted. I’ve set this to 80 and 443, reflecting HTTP and HTTPS connections. If you leave it blank, connections to ALL ports will be counted.
Save your changes and restart CSF.
Notification of Blocks
In the settings screen, you can also configure whether or not you’ll receive an e-mail notification when your server blocks an IP address via the CT_EMAIL_ALERT variable. I’ve set this to “On”, so when CSF blocks something, I get an email like this:
This email shows that this particular IP hit 277 connections before the CT_INTERVAL kicked in. You can see from the screenshot that the IP address was trying a bunch of ports, scanning for weaknesses. This is a classic example of the kind of DDoS attack that CSF was designed to handle. Simple to detect, easy to block, and easy to configure against.
You should get a dedicated security solution for anything more complicated than this. But when someone targets your IP address directly like this, even a reverse proxy like Cloudflare won’t help. So ensure you harden your server by enabling CSF’s DDoS protection to keep you safe!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!