diff --git a/internal/web/actions/default/clusters/cluster/node/settings/ddos-protection/index.go b/internal/web/actions/default/clusters/cluster/node/settings/ddos-protection/index.go
index e35771bd..43c79ece 100644
--- a/internal/web/actions/default/clusters/cluster/node/settings/ddos-protection/index.go
+++ b/internal/web/actions/default/clusters/cluster/node/settings/ddos-protection/index.go
@@ -106,6 +106,10 @@ func (this *IndexAction) RunPost(params struct {
 			this.FailField("tcpNewConnectionsRate", "TCP: 单IP连接速率不能小于"+types.String(nodeconfigs.DefaultTCPNewConnectionsMinRate))
 		}
 
+		if tcpConfig.DenyNewConnectionsRate > 0 && tcpConfig.DenyNewConnectionsRate < nodeconfigs.DefaultTCPDenyNewConnectionsMinRate {
+			this.FailField("tcpDenyNewConnectionsRate", "TCP: 单IP TCP新连接速率黑名单连接速率不能小于"+types.String(nodeconfigs.DefaultTCPDenyNewConnectionsMinRate))
+		}
+
 		// Port
 		for _, portConfig := range tcpConfig.Ports {
 			if portConfig.Port > 65535 {
diff --git a/internal/web/actions/default/clusters/cluster/settings/ddos-protection/index.go b/internal/web/actions/default/clusters/cluster/settings/ddos-protection/index.go
index 161e3bfd..c8213b75 100644
--- a/internal/web/actions/default/clusters/cluster/settings/ddos-protection/index.go
+++ b/internal/web/actions/default/clusters/cluster/settings/ddos-protection/index.go
@@ -79,6 +79,10 @@ func (this *IndexAction) RunPost(params struct {
 			this.FailField("tcpNewConnectionsRate", "TCP: 单IP连接速率不能小于"+types.String(nodeconfigs.DefaultTCPNewConnectionsMinRate))
 		}
 
+		if tcpConfig.DenyNewConnectionsRate > 0 && tcpConfig.DenyNewConnectionsRate < nodeconfigs.DefaultTCPDenyNewConnectionsMinRate {
+			this.FailField("tcpDenyNewConnectionsRate", "TCP: 单IP TCP新连接速率黑名单连接速率不能小于"+types.String(nodeconfigs.DefaultTCPDenyNewConnectionsMinRate))
+		}
+
 		// Port
 		for _, portConfig := range tcpConfig.Ports {
 			if portConfig.Port > 65535 {
diff --git a/web/public/js/components/cluster/node-ddos-protection-config-box.js b/web/public/js/components/cluster/node-ddos-protection-config-box.js
index b22c3ff9..97fcc1ec 100644
--- a/web/public/js/components/cluster/node-ddos-protection-config-box.js
+++ b/web/public/js/components/cluster/node-ddos-protection-config-box.js
@@ -10,6 +10,7 @@ Vue.component("node-ddos-protection-config-box", {
 					maxConnections: 0,
 					maxConnectionsPerIP: 0,
 					newConnectionsRate: 0,
+					denyNewConnectionsRate: 0,
 					allowIPList: [],
 					ports: []
 				}
@@ -24,6 +25,7 @@ Vue.component("node-ddos-protection-config-box", {
 				maxConnections: 0,
 				maxConnectionsPerIP: 0,
 				newConnectionsRate: 0,
+				denyNewConnectionsRate: 0,
 				allowIPList: [],
 				ports: []
 			}
@@ -89,6 +91,31 @@ Vue.component("node-ddos-protection-config-box", {
 				<p class="comment">单个IP可以创建TCP新连接的速率。如果为0，则默认为{{defaultConfigs.tcpNewConnectionsRate}}；最小值为{{defaultConfigs.tcpNewConnectionsMinRate}}。</p>
 			</td>
 		</tr>
+		<tr>
+			<td>单IP TCP新连接速率黑名单</td>
+			<td>
+				<div class="ui fields">
+					<div class="ui field">
+						<div class="ui input right labeled">
+							<span class="ui label">超过</span>
+							<digit-input name="tcpDenyNewConnectionsRate" v-model="config.tcp.denyNewConnectionsRate" maxlength="6" size="6" style="width: 6em" :min="defaultConfigs.tcpDenyNewConnectionsMinRate"></digit-input>
+							<span class="ui label">个新连接/每分钟</span>
+						</div>
+					</div>
+					<div class="ui field" style="line-height: 2.4em">
+						屏蔽
+					</div>
+					<div class="ui field">
+						<div class="ui input right labeled">
+							<digit-input name="tcpDenyNewConnectionsRateTimeout" v-model="config.tcp.denyNewConnectionsRateTimeout" maxlength="6" size="6" style="width: 5em"></digit-input>
+							<span class="ui label">秒</span>
+						</div>
+					</div>
+				</div>
+			
+				<p class="comment">单个IP可以如果在单位时间内创建的TCP连接数超过这个值，就自动加入到<code-label>nftables</code-label>黑名单中。如果为0，则默认为{{defaultConfigs.tcpDenyNewConnectionsRate}}；最小值为{{defaultConfigs.tcpDenyNewConnectionsMinRate}}；默认屏蔽{{defaultConfigs.tcpDenyNewConnectionsRateTimeout}}秒。</p>
+			</td>
+		</tr>
 		<tr>
 			<td>TCP端口列表</td>
 			<td>
diff --git a/web/public/js/components/ns/ns-node-ddos-protection-config-box.js b/web/public/js/components/ns/ns-node-ddos-protection-config-box.js
index da24d1be..1a14c90b 100644
--- a/web/public/js/components/ns/ns-node-ddos-protection-config-box.js
+++ b/web/public/js/components/ns/ns-node-ddos-protection-config-box.js
@@ -10,6 +10,7 @@ Vue.component("ns-node-ddos-protection-config-box", {
 					maxConnections: 0,
 					maxConnectionsPerIP: 0,
 					newConnectionsRate: 0,
+					denyNewConnectionsRate: 0,
 					allowIPList: [],
 					ports: []
 				}
@@ -24,6 +25,7 @@ Vue.component("ns-node-ddos-protection-config-box", {
 				maxConnections: 0,
 				maxConnectionsPerIP: 0,
 				newConnectionsRate: 0,
+				denyNewConnectionsRate: 0,
 				allowIPList: [],
 				ports: []
 			}
@@ -89,6 +91,31 @@ Vue.component("ns-node-ddos-protection-config-box", {
 				<p class="comment">单个IP可以创建TCP新连接的速率。如果为0，则默认为{{defaultConfigs.tcpNewConnectionsRate}}；最小值为{{defaultConfigs.tcpNewConnectionsMinRate}}。</p>
 			</td>
 		</tr>
+		<tr>
+			<td>单IP TCP新连接速率黑名单</td>
+			<td>
+				<div class="ui fields">
+					<div class="ui field">
+						<div class="ui input right labeled">
+							<span class="ui label">超过</span>
+							<digit-input name="tcpDenyNewConnectionsRate" v-model="config.tcp.denyNewConnectionsRate" maxlength="6" size="6" style="width: 6em" :min="defaultConfigs.tcpDenyNewConnectionsMinRate"></digit-input>
+							<span class="ui label">个新连接/每分钟</span>
+						</div>
+					</div>
+					<div class="ui field" style="line-height: 2.4em">
+						屏蔽
+					</div>
+					<div class="ui field">
+						<div class="ui input right labeled">
+							<digit-input name="tcpDenyNewConnectionsRateTimeout" v-model="config.tcp.denyNewConnectionsRateTimeout" maxlength="6" size="6" style="width: 5em"></digit-input>
+							<span class="ui label">秒</span>
+						</div>
+					</div>
+				</div>
+			
+				<p class="comment">单个IP可以如果在单位时间内创建的TCP连接数超过这个值，就自动加入到<code-label>nftables</code-label>黑名单中。如果为0，则默认为{{defaultConfigs.tcpDenyNewConnectionsRate}}；最小值为{{defaultConfigs.tcpDenyNewConnectionsMinRate}}；默认屏蔽{{defaultConfigs.tcpDenyNewConnectionsRateTimeout}}秒。</p>
+			</td>
+		</tr>
 		<tr>
 			<td>TCP端口列表</td>
 			<td>
diff --git a/web/views/@default/clusters/logs/index.html b/web/views/@default/clusters/logs/index.html
index 9d488ae7..5a707199 100644
--- a/web/views/@default/clusters/logs/index.html
+++ b/web/views/@default/clusters/logs/index.html
@@ -52,7 +52,7 @@
     <second-menu v-if="logs.length > 0">
         <a href="" class="item" @click.prevent="updatePageRead()">[本页已读]</a>
         <a href="" class="item" @click.prevent="updateAllRead()">[全部已读]</a>
-        <a href="" class="item" @click.prevent="updateNodeRead(firstUnreadNode.id)" v-if="firstUnreadNode != null">["{{firstUnreadNode.name}}"已读]</a>
+        <a href="" class="item" @click.prevent="updateNodeRead(firstUnreadNode.id)" v-if="firstUnreadNode != null">["{{firstUnreadNode.name}}"节点已读]</a>
     </second-menu>
 </div>
 
