by Sijin George 


It’s a shocking fact that DDoS (Distributed Denial of Service) attacks are on the rise!

Hackers evolve with new ways of DDoS attack every day. That makes DDoS protection a significant step for server security.

Today, we’ll see how we can set up DDoS protection in cPanel servers.



What is DDoS ?

Before checking on how to defend DDoS attack, let’s first see what it is.

DDoS tries to shutdown a business by sending huge amount of traffic to the website. With too many hits to the website, server will not be able to handle the traffic. This further causes site slowness and eventually website stops working. Also, this often causes network congestion. Thus, it can affect all the servers in the network.

So, a proper DDoS protection mechanism is really important for all server providers.


Methods for cPanel DDoS protection

We now know the importance of preventing DDoS attack in servers. Ideally, there is no perfect way to prevent this attack as such. So, all the methods are to mitigate the effects of the attack.

Our target focuses on reducing the attack time to the minimum. And, the catch lies in implementing effective preventive measures on the server.

Now, let’s see the different ways for enabling cPanel DDoS protection.


Software Firewall

Software firewall is a great way to block unwanted traffic on the server. It mainly uses allow and deny rules that restrict access to the server.

1. Using CSF

Luckily, cPanel server supports a firewall called CSF (Config Server Security & Firewall).

Our Security Engineers typically configures various parameters in CSF configuration file at /etc/csf/csf.conf.

The number of simultaneous connections from a single IP would be very large in a DDoS attack . So, we limit this by tweaking the value of CT_Limit to a smaller range.

Similarly, we also change the value of “CT_INTERVAL“, that tracks the number of seconds between connection tracking scans.

Additionally, we enable protection for certain ports by specifying them in the configuration variable ‘CT_PORTS’. DDOS primarily focuses on the web server and DNS server. That’s why, our support engineers configure the variable as:


PORTFLOOD and SYNFLOOD are the two directives in CSF firewall that helps to prevent DDoS. We tweak and enable these variables when the server is under attack.

After changing the configuration, a restart of csf will make changes effective.

The firewall settings during an attack time would be really strict. That’s why, we always restore the set of pre-attack rules afterwards to minimize disruption of legitimate traffic.


2. cPanel’s IP Deny Manager

Another simple option to block IP addresses is cPanel’s IP deny manager. Here, we can manually ban single IP addresses or an entire IP range.

But, note that banning IP addresses will not prevent SYN-flood attacks. Also, it will not be effective for botnet based DDoS attack too.


3. Mod_evasive Apache module

Yet another effective method that helps to protect the server against DoS is “mod_evasive” Apache module. This module can communicate with iptables, firewalls, and routers to restrict traffic.

It creates a table of IP addresses that can possibly cause attack. Thus, it effectively blocks the IP address that requests the same page more than a few times per second. Also, it do not allow IP addresses that makes more than 50 concurrent requests in a second. These IP addresses are blacklisted temporarily.

We can easily install “Mod_evasive” from the Apache Modules section of WHM’s EasyApache 4 interface. To access it, login to WHM and go to Home >> Software >> EasyApache 4.


4. Manual Blocking

When the server is under DoS attack, manual blocking of offending IP also really helps. Here, our Support Engineers first determine the number of connections per IP address using the command :

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

This command helps to find the top IP addresses that connects via ‘tcp’ or ‘udp’ method.

From our experience, if there are more than 500 packets from an IP,  then mostly it will be a DDOS attack. So, we block those IPs in the firewall.




DDoS attacks can really make websites standstill. Luckily, there are effective methods to mitigate such attacks.

Sunday, March 31, 2019

« Back