CSF has one useful feature which is Connection Tracking. This allows you to perform connection tracking of all connections formed on an IP Address. If the number of connections that occur is greater than a predetermined value, the IP address making the connection will be blocked by CSF. This can be useful for preventing DOS attacks.
However, sometimes the IP Address blocking can also be false-positives. Some protocols such as FTP, HTTP/HTTPS, IMAPD may take a lot of connections so the possibility of being blocked will be very high. Especially if the protocol does a lot of closed connections TIME_WAIT.
Here are the settings that might be considered:
A commonly used setting is at 300 with a range of 0-1000
CT_LIMIT = 300
Connection Tracking interval, this needs to be set to determine the scanning interval. If it is set to 30, it means that every 30 seconds it will perform scanning.
CT_INTERVAL = 30
Send an email alert if an IP Address is triggered to block due to connection tracking.
CT_EMAIL_ALERT = 1
If you want to make IP Block permanent, then set this value to 1.
CT_PERMANENT = 1
If you don't want to use a permanent block, then use CT_BLOCK_TIME block for a specific duration with a value of seconds. Example 1800 = 30 minutes.
CT_BLOCK_TIME = 86400
If TIME_WAIT is not to be taken into account in the connection tracking process, then set the value 1
CT_SKIP_TIME_WAIT = 1
If you want to scan connection tracking with a specific port, then fill in the value with an example of 80,443.
CT_PORTS = 80,443
