If you’re a fan of trying to limit the effects of a DDoS on your services you’ve probably tried to limit the amount of connections that can be made to a port, possibly by using the xt_recent iptables module, by default the limits imposed on the module are rather low, which made this module of limited use in our case due to the large amount of connections we have normally. The default of most distributions only store the last 100 IP’s and 20 timestamps of each packet from those IP’s, we can increase this to allow us to track more connections with more granularity, for example with the changes below we can now monitor up to 200 IP’s and the times of the last 255 packets sent by each IP.

nano /etc/modprobe.d/xt_recent.conf

Add the following line to the file

options xt_recent ip_pkt_list_tot=255 ip_list_tot=200

Before we unload the xt_recent module we need to unload all the modules that use the recent module, we can achieve this by simply using the command

service iptables stop

Alternatively if you’re using csf you can unload all the rules it by simply usingthe below command, there was no need to stop iptables when using this method.

csf -x

Now we can unload the xt_recent module

modprobe -r xt_recent

After the module has unload successfully you can then reload the module with

modprobe xt_recent

Now we can restart iptables

service iptables start

Or if you’re using csf

csf -e