Bobcares
Client Area
Emergency Support
Apache | Cloudflare | cPanel | DDoS | Server Administration

cPanel DDoS protection – Everything that you need to know!

by | Dec 5, 2018

It’s a shocking fact that DDoS (Distributed Denial of Service) attacks are on the rise!

Hackers evolve with new ways of DDoS attack every day. That makes DDoS protection a significant step for server security.

At Bobcares, we help servers owners to implement DDoS protection in servers as part of our Support Services for Web Hosts.

Today, we’ll see how we can set up DDoS protection in cPanel servers.

 

What is DDoS ?

Before checking on how to defend DDoS attack, let’s first see what it is.

DDoS tries to shutdown a business by sending huge amount of traffic to the website. With too many hits to the website, server will not be able to handle the traffic. This further causes site slowness and eventually website stops working. Also, this often causes network congestion. Thus, it can affect all the servers in the network.

So, a proper DDoS protection mechanism is really important for all server providers.

 

Methods for cPanel DDoS protection

We now know the importance of preventing DDoS attack in servers. Ideally, there is no perfect way to prevent this attack as such. So, all the methods are to mitigate the effects of the attack.

Our target focuses on reducing the attack time to the minimum. And, the catch lies in implementing effective preventive measures on the server.

Now, let’s see the different ways for enabling cPanel DDoS protection.

 

Software Firewall

Software firewall is a great way to block unwanted traffic on the server. It mainly uses allow and deny rules that restrict access to the server.

1. Using CSF

Luckily, cPanel server supports a firewall called CSF (Config Server Security & Firewall).

Our Security Engineers typically configures various parameters in CSF configuration file at /etc/csf/csf.conf.

The number of simultaneous connections from a single IP would be very large in a DDoS attack . So, we limit this by tweaking the value of CT_Limit to a smaller range.

Similarly, we also change the value of “CT_INTERVAL“, that tracks the number of seconds between connection tracking scans.

Additionally, we enable protection for certain ports by specifying them in the configuration variable ‘CT_PORTS’. DDOS primarily focuses on the web server and DNS server. That’s why, our Support Engineers configure the variable as

CT_PORTS=80,443,53

PORTFLOOD and SYNFLOOD are the two directives in CSF firewall that helps to prevent DDoS. We tweak and enable these variables when the server is under attack.

After changing the configuration, a restart of csf will make changes effective.

The firewall settings during an attack time would be really strict. That’s why, we always restore the set of pre-attack rules afterwards to minimize disruption of legitimate traffic.

 

2. cPanel’s IP Deny Manager

Another simple option to block IP addresses is cPanel’s IP deny manager. Here, we can manually ban single IP addresses or an entire IP range.

But, note that banning IP addresses will not prevent SYN-flood attacks. Also, it will not be effective for botnet based DDoS attack too.

 

3. Mod_evasive Apache module

Yet another effective method that helps to protect the server against DoS is “mod_evasive” Apache module. This module can communicate with iptables, firewalls, and routers to restrict traffic.

It creates a table of IP addresses that can possibly cause attack. Thus, it effectively blocks the IP address that requests the same page more than a few times per second. Also, it do not allow IP addresses that makes more than 50 concurrent requests in a second. These IP addresses are blacklisted temporarily.

We can easily install “Mod_evasive” from the Apache Modules section of WHM’s EasyApache 4 interface. To access it, login to WHM and go to Home >> Software >> EasyApache 4.

 

4. Manual Blocking

When the server is under DoS attack, manual blocking of offending IP also really helps. Here, ourSupport Engineers first determine the number of connections per IP address using the command :

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

This command helps to find the top IP addresses that connects via ‘tcp’ or ‘udp’ method.

From our experience, if there are more than 500 packets from an IP,  then mostly it will be a DDOS attack. So, we block those IPs in the firewall.

 

Conclusion

DDoS attacks can really make websites standstill. Luckily, there are effective methods to mitigate such attacks. Today, we’ve seen the top methods for cPanel DDoS protection and how our Security Specialists implement them.

Related posts:

  1. How to use Fail2ban for securing Apache web server from 404 attacks?
  2. Mitigating DDoS – Part I
  3. Shell shock rescue – Tracing a bandwidth spike to outbound DDoS through the infamous Bash vulnerability
  4. Smurf DDoS attack – How to mitigate

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

GET UP TO 25% OFF

cPanel Support

Spend time on your business, not on your servers.

Managing a server is time consuming. Whether you are an expert or a newbie, that is time you could use to focus on your product or service. Leave your server management & end-user tech support to us, and use that time to focus on the growth and success of your business.

TALK TO US Or click here to learn more.

Related Articles

  1. How to use Fail2ban for securing Apache web server from 404 attacks?
  2. Mitigating DDoS – Part I
  3. Shell shock rescue – Tracing a bandwidth spike to outbound DDoS through the infamous Bash vulnerability
  4. Smurf DDoS attack – How to mitigate

Never again lose customers to poor
server speed! Let us help you.

GET STARTED

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF