Guest User

Untitled

a guest
Dec 12th, 2019
2,281
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###############################################################################
  2. api_paste_code=# SECTION:Initial Settings
  3. api_paste_code=###############################################################################
  4. api_paste_code=# Testing flag - enables a CRON job that clears iptables incase of
  5. api_paste_code=# configuration problems when you start csf. This should be enabled until you
  6. api_paste_code=# are sure that the firewall works - i.e. incase you get locked out of your
  7. api_paste_code=# server! Then do remember to set it to 0 and restart csf when you're sure
  8. api_paste_code=# everything is OK. Stopping csf will remove the line from /etc/crontab
  9. api_paste_code=#
  10. api_paste_code=# lfd will not start while this is enabled
  11. api_paste_code=TESTING = "0"
  12. api_paste_code=
  13. api_paste_code=# The interval for the crontab in minutes. Since this uses the system clock the
  14. api_paste_code=# CRON job will run at the interval past the hour and not from when you issue
  15. api_paste_code=# the start command. Therefore an interval of 5 minutes means the firewall
  16. api_paste_code=# will be cleared in 0-5 minutes from the firewall start
  17. api_paste_code=TESTING_INTERVAL = "5"
  18. api_paste_code=
  19. api_paste_code=# SECURITY WARNING
  20. api_paste_code=# ================
  21. api_paste_code=#
  22. api_paste_code=# Unfortunately, syslog and rsyslog allow end-users to log messages to some
  23. api_paste_code=# system logs via the same unix socket that other local services use. This
  24. api_paste_code=# means that any log line shown in these system logs that syslog or rsyslog
  25. api_paste_code=# maintain can be spoofed (they are exactly the same as real log lines).
  26. api_paste_code=#
  27. api_paste_code=# Since some of the features of lfd rely on such log lines, spoofed messages
  28. api_paste_code=# can cause false-positive matches which can lead to confusion at best, or
  29. api_paste_code=# blocking of any innocent IP address or making the server inaccessible at
  30. api_paste_code=# worst.
  31. api_paste_code=#
  32. api_paste_code=# Any option that relies on the log entries in the files listed in
  33. api_paste_code=# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
  34. api_paste_code=# vulnerable to exploitation by end-users and scripts run by end-users.
  35. api_paste_code=#
  36. api_paste_code=# NOTE: Not all log files are affected as they may not use syslog/rsyslog
  37. api_paste_code=#
  38. api_paste_code=# The option RESTRICT_SYSLOG disables all these features that rely on affected
  39. api_paste_code=# logs. These options are:
  40. api_paste_code=# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
  41. api_paste_code=# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
  42. api_paste_code=# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
  43. api_paste_code=# PORTKNOCKING_ALERT
  44. api_paste_code=#
  45. api_paste_code=# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
  46. api_paste_code=# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
  47. api_paste_code=#
  48. api_paste_code=# The following options are still enabled by default on new installations so
  49. api_paste_code=# that, on balance, csf/lfd still provides expected levels of security:
  50. api_paste_code=# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
  51. api_paste_code=#
  52. api_paste_code=# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
  53. api_paste_code=# above, it should be done with the knowledge that any of the those options
  54. api_paste_code=# that are enabled could be triggered by spoofed log lines and lead to the
  55. api_paste_code=# server being inaccessible in the worst case. If you do not want to take that
  56. api_paste_code=# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
  57. api_paste_code=# but you will not be protected from the exploits that they normally help block
  58. api_paste_code=#
  59. api_paste_code=# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
  60. api_paste_code=# the syslog/rsyslog unix socket.
  61. api_paste_code=#
  62. api_paste_code=# For further advice on how to help mitigate these issues, see
  63. api_paste_code=# /etc/csf/readme.txt
  64. api_paste_code=#
  65. api_paste_code=# 0 = Allow those options listed above to be used and configured
  66. api_paste_code=# 1 = Disable all the options listed above and prevent them from being used
  67. api_paste_code=# 2 = Disable only alerts about this feature and do nothing else
  68. api_paste_code=# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
  69. api_paste_code=RESTRICT_SYSLOG = "3"
  70. api_paste_code=
  71. api_paste_code=# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
  72. api_paste_code=# write access to the syslog/rsyslog unix socket(s). The group must not already
  73. api_paste_code=# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
  74. api_paste_code=# to a unique name for the server
  75. api_paste_code=#
  76. api_paste_code=# You can add users to this group by changing /etc/csf/csf.syslogusers and then
  77. api_paste_code=# restarting lfd afterwards. This will create the system group and add the
  78. api_paste_code=# users from csf.syslogusers if they exist to that group and will change the
  79. api_paste_code=# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
  80. api_paste_code=# monitored and the permissions re-applied should syslog/rsyslog be restarted
  81. api_paste_code=#
  82. api_paste_code=# Using this option will prevent some legitimate logging, e.g. end-user cron
  83. api_paste_code=# job logs
  84. api_paste_code=#
  85. api_paste_code=# If you want to revert RESTRICT_SYSLOG to another option and disable this
  86. api_paste_code=# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
  87. api_paste_code=# syslog/rsyslog and the unix sockets will be reset
  88. api_paste_code=RESTRICT_SYSLOG_GROUP = "mysyslog"
  89. api_paste_code=
  90. api_paste_code=# This options restricts the ability to modify settings within this file from
  91. api_paste_code=# the csf UI. Should the parent control panel be compromised, these restricted
  92. api_paste_code=# options could be used to further compromise the server. For this reason we
  93. api_paste_code=# recommend leaving this option set to at least "1" and if any of the
  94. api_paste_code=# restricted items need to be changed, they are done so from the root shell
  95. api_paste_code=#
  96. api_paste_code=# 0 = Unrestricted UI
  97. api_paste_code=# 1 = Restricted UI
  98. api_paste_code=# 2 = Disabled UI
  99. api_paste_code=RESTRICT_UI = "1"
  100. api_paste_code=
  101. api_paste_code=# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
  102. api_paste_code=# runs once per day to see if there is an update to csf lfd and upgrades if
  103. api_paste_code=# available and restarts csf and lfd
  104. api_paste_code=#
  105. api_paste_code=# You should check for new version announcements at http://blog.configserver.com
  106. api_paste_code=AUTO_UPDATES = "1"
  107. api_paste_code=
  108. api_paste_code=###############################################################################
  109. api_paste_code=# SECTION:IPv4 Port Settings
  110. api_paste_code=###############################################################################
  111. api_paste_code=# Lists of ports in the following comma separated lists can be added using a
  112. api_paste_code=# colon (e.g. 30000:35000).
  113. api_paste_code=
  114. api_paste_code=# Some kernel/iptables setups do not perform stateful connection tracking
  115. api_paste_code=# correctly (typically some virtual servers or custom compiled kernels), so a
  116. api_paste_code=# SPI firewall will not function correctly. If this happens, LF_SPI can be set
  117. api_paste_code=# to 0 to reconfigure csf as a static firewall.
  118. api_paste_code=#
  119. api_paste_code=# As connection tracking will not be configured, applications that rely on it
  120. api_paste_code=# will not function unless all outgoing ports are opened. Therefore, all
  121. api_paste_code=# outgoing connections will be allowed once all other tests have completed. So
  122. api_paste_code=# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
  123. api_paste_code=#
  124. api_paste_code=# If you allow incoming DNS lookups you may need to use the following
  125. api_paste_code=# directive in the options{} section of your named.conf:
  126. api_paste_code=#
  127. api_paste_code=# query-source port 53;
  128. api_paste_code=#
  129. api_paste_code=# This will force incoming DNS traffic only through port 53
  130. api_paste_code=#
  131. api_paste_code=# Disabling this option will break firewall functionality that relies on
  132. api_paste_code=# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
  133. api_paste_code=# less secure
  134. api_paste_code=#
  135. api_paste_code=# This option should be set to "1" in all other circumstances
  136. api_paste_code=LF_SPI = "1"
  137. api_paste_code=
  138. api_paste_code=# Allow incoming TCP ports
  139. api_paste_code=TCP_IN = "20:22,25,53,80,110,143,443,465,587,873,953,993,995,2077:2096,2222,2525,2812,3306,5001:5209,5566,8080,8083,8443,10000,12000:12100,30000:30100,35000:35999,37210,40000:42000,59999:60300"
  140. api_paste_code=
  141. api_paste_code=# Allow outgoing TCP ports
  142. api_paste_code=TCP_OUT = "20:22,25,43,53,80,110,113,443,465,587,873,953,995,2077:2096,5001:5209,8080,8083,12000:12100,40000:42000"
  143. api_paste_code=
  144. api_paste_code=# Allow incoming UDP ports
  145. api_paste_code=UDP_IN = "20,21,53,5001:5209,12000:12100,40000:42000"
  146. api_paste_code=
  147. api_paste_code=# Allow outgoing UDP ports
  148. api_paste_code=# To allow outgoing traceroute add 33434:33523 to this list
  149. api_paste_code=UDP_OUT = "20,21,53,113,123,5001:5209,12000:12100,40000:42000"
  150. api_paste_code=
  151. api_paste_code=# Allow incoming PING. Disabling PING will likely break external uptime
  152. api_paste_code=# monitoring
  153. api_paste_code=ICMP_IN = "1"
  154. api_paste_code=
  155. api_paste_code=# Set the per IP address incoming ICMP packet rate for PING requests. This
  156. api_paste_code=# ratelimits PING requests which if exceeded results in silently rejected
  157. api_paste_code=# packets. Disable or increase this value if you are seeing PING drops that you
  158. api_paste_code=# do not want
  159. api_paste_code=#
  160. api_paste_code=# To disable rate limiting set to "0", otherwise set according to the iptables
  161. api_paste_code=# documentation for the limit module. For example, "1/s" will limit to one
  162. api_paste_code=# packet per second
  163. api_paste_code=ICMP_IN_RATE = "1/s"
  164. api_paste_code=
  165. api_paste_code=# Allow outgoing PING
  166. api_paste_code=#
  167. api_paste_code=# Unless there is a specific reason, this option should NOT be disabled as it
  168. api_paste_code=# could break OS functionality
  169. api_paste_code=ICMP_OUT = "1"
  170. api_paste_code=
  171. api_paste_code=# Set the per IP address outgoing ICMP packet rate for PING requests. This
  172. api_paste_code=# ratelimits PING requests which if exceeded results in silently rejected
  173. api_paste_code=# packets. Disable or increase this value if you are seeing PING drops that you
  174. api_paste_code=# do not want
  175. api_paste_code=#
  176. api_paste_code=# Unless there is a specific reason, this option should NOT be enabled as it
  177. api_paste_code=# could break OS functionality
  178. api_paste_code=#
  179. api_paste_code=# To disable rate limiting set to "0", otherwise set according to the iptables
  180. api_paste_code=# documentation for the limit module. For example, "1/s" will limit to one
  181. api_paste_code=# packet per second
  182. api_paste_code=ICMP_OUT_RATE = "0"
  183. api_paste_code=
  184. api_paste_code=# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
  185. api_paste_code=# should be dropped, you can enable the following option. Otherwise, there
  186. api_paste_code=# appears to be little evidence that it has anything to do with a security risk
  187. api_paste_code=# and can impact network performance, so should be left disabled by everyone
  188. api_paste_code=# else
  189. api_paste_code=ICMP_TIMESTAMPDROP = "0"
  190. api_paste_code=
  191. api_paste_code=###############################################################################
  192. api_paste_code=# SECTION:IPv6 Port Settings
  193. api_paste_code=###############################################################################
  194. api_paste_code=# IPv6: (Requires ip6tables)
  195. api_paste_code=#
  196. api_paste_code=# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
  197. api_paste_code=# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
  198. api_paste_code=#
  199. api_paste_code=# Supported:
  200. api_paste_code=# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
  201. api_paste_code=# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
  202. api_paste_code=# SYNFLOOD, LF_NETBLOCK
  203. api_paste_code=#
  204. api_paste_code=# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
  205. api_paste_code=# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
  206. api_paste_code=# CC_ALLOW_SMTPAUTH
  207. api_paste_code=#
  208. api_paste_code=# Supported if ip6tables >= 1.4.3:
  209. api_paste_code=# PORTFLOOD, CONNLIMIT
  210. api_paste_code=#
  211. api_paste_code=# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
  212. api_paste_code=# installed:
  213. api_paste_code=# MESSENGER DOCKER SMTP_REDIRECT
  214. api_paste_code=#
  215. api_paste_code=# Not supported:
  216. api_paste_code=# ICMP_IN, ICMP_OUT
  217. api_paste_code=#
  218. api_paste_code=IPV6 = "1"
  219. api_paste_code=
  220. api_paste_code=# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
  221. api_paste_code=# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
  222. api_paste_code=# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
  223. api_paste_code=# connection types
  224. api_paste_code=IPV6_ICMP_STRICT = "0"
  225. api_paste_code=
  226. api_paste_code=# Pre v2.6.20 kernel must set this option to "0" as no working state module is
  227. api_paste_code=# present, so a static firewall is configured as a fallback
  228. api_paste_code=#
  229. api_paste_code=# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
  230. api_paste_code=# not support IPv6 connection tracking by opening ephemeral port range
  231. api_paste_code=# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
  232. api_paste_code=# same workaround implemented by RedHat in the sample default IPv6 rules
  233. api_paste_code=#
  234. api_paste_code=# As connection tracking will not be configured, applications that rely on it
  235. api_paste_code=# will not function unless all outgoing ports are opened. Therefore, all
  236. api_paste_code=# outgoing connections will be allowed once all other tests have completed. So
  237. api_paste_code=# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
  238. api_paste_code=#
  239. api_paste_code=# If you allow incoming ipv6 DNS lookups you may need to use the following
  240. api_paste_code=# directive in the options{} section of your named.conf:
  241. api_paste_code=#
  242. api_paste_code=# query-source-v6 port 53;
  243. api_paste_code=#
  244. api_paste_code=# This will force ipv6 incoming DNS traffic only through port 53
  245. api_paste_code=#
  246. api_paste_code=# These changes are not necessary if the SPI firewall is used
  247. api_paste_code=IPV6_SPI = "1"
  248. api_paste_code=
  249. api_paste_code=# Allow incoming IPv6 TCP ports
  250. api_paste_code=TCP6_IN = "20:22,25,53,80,110,143,443,465,587,873,953,993,995,2077:2096,2222,2525,2812,3306,5001:5209,5566,8080,8083,8443,10000,12000:12100,30000:30100,35000:35999,37210,40000:42000,59999:60300"
  251. api_paste_code=
  252. api_paste_code=# Allow outgoing IPv6 TCP ports
  253. api_paste_code=TCP6_OUT = "20:22,25,43,53,80,110,113,443,465,587,873,953,995,2077:2096,5001:5209,8080,8083,12000:12100,33434:33523,40000:42000"
  254. api_paste_code=
  255. api_paste_code=# Allow incoming IPv6 UDP ports
  256. api_paste_code=UDP6_IN = "20,21,53,5001:5209,12000:12100,40000:42000"
  257. api_paste_code=
  258. api_paste_code=# Allow outgoing IPv6 UDP ports
  259. api_paste_code=# To allow outgoing traceroute add 33434:33523 to this list
  260. api_paste_code=UDP6_OUT = "20,21,53,113,123,5001:5209,12000:12100,33434:33523,40000:42000"
  261. api_paste_code=
  262. api_paste_code=###############################################################################
  263. api_paste_code=# SECTION:General Settings
  264. api_paste_code=###############################################################################
  265. api_paste_code=# By default, csf will auto-configure iptables to filter all traffic except on
  266. api_paste_code=# the loopback device. If you only want iptables rules applied to a specific
  267. api_paste_code=# NIC, then list it here (e.g. eth1, or eth )
  268. api_paste_code=ETH_DEVICE = "eth0"
  269. api_paste_code=
  270. api_paste_code=# By adding a device to this option, ip6tables can be configured only on the
  271. api_paste_code=# specified device. Otherwise, ETH_DEVICE and then the default setting will be
  272. api_paste_code=# used
  273. api_paste_code=#ETH6_DEVICE = "eth0"
  274. api_paste_code=
  275. api_paste_code=# If you don't want iptables rules applied to specific NICs, then list them in
  276. api_paste_code=# a comma separated list (e.g "eth1,eth2")
  277. api_paste_code=ETH_DEVICE_SKIP = ""
  278. api_paste_code=
  279. api_paste_code=# This option should be enabled unless the kernel does not support the
  280. api_paste_code=# "conntrack" module
  281. api_paste_code=#
  282. api_paste_code=# To use the deprecated iptables "state" module, change this to 0
  283. api_paste_code=USE_CONNTRACK = "1"
  284. api_paste_code=
  285. api_paste_code=# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34 )
  286. api_paste_code=# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
  287. api_paste_code=# This will also remove the RELATED target from the global state iptables rule
  288. api_paste_code=#
  289. api_paste_code=# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
  290. api_paste_code=# the raw tables do not exist. The USE_CONNTRACK option should be enabled
  291. api_paste_code=#
  292. api_paste_code=# To enable this option, set it to your FTP server listening port number
  293. api_paste_code=# (normally 21), do NOT set it to "1"
  294. api_paste_code=USE_FTPHELPER = "0"
  295. api_paste_code=
  296. api_paste_code=# Check whether syslog is running. Many of the lfd checks require syslog to be
  297. api_paste_code=# running correctly. This test will send a coded message to syslog every
  298. api_paste_code=# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
  299. api_paste_code=# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
  300. api_paste_code=# syslogalert.txt is sent
  301. api_paste_code=#
  302. api_paste_code=# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
  303. api_paste_code=SYSLOG_CHECK = "0"
  304. api_paste_code=
  305. api_paste_code=# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
  306. api_paste_code=# listed in csf.allow in addition to csf.ignore (the default). This option
  307. api_paste_code=# should be used with caution as it would mean that IP's allowed through the
  308. api_paste_code=# firewall from infected PC's could launch attacks on the server that lfd
  309. api_paste_code=# would ignore
  310. api_paste_code=IGNORE_ALLOW = "1"
  311. api_paste_code=
  312. api_paste_code=# Enable the following option if you want to apply strict iptables rules to DNS
  313. api_paste_code=# traffic (i.e. relying on iptables connection tracking). Enabling this option
  314. api_paste_code=# could cause DNS resolution issues both to and from the server but could help
  315. api_paste_code=# prevent abuse of the local DNS server
  316. api_paste_code=DNS_STRICT = "0"
  317. api_paste_code=
  318. api_paste_code=# Enable the following option if you want to apply strict iptables rules to DNS
  319. api_paste_code=# traffic between the server and the nameservers listed in /etc/resolv.conf
  320. api_paste_code=# Enabling this option could cause DNS resolution issues both to and from the
  321. api_paste_code=# server but could help prevent abuse of the local DNS server
  322. api_paste_code=DNS_STRICT_NS = "0"
  323. api_paste_code=
  324. api_paste_code=# Limit the number of IP's kept in the /etc/csf/csf.deny file
  325. api_paste_code=#
  326. api_paste_code=# Care should be taken when increasing this value on servers with low memory
  327. api_paste_code=# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
  328. api_paste_code=# thousands) can sometimes cause network slowdown
  329. api_paste_code=#
  330. api_paste_code=# The value set here is the maximum number of IPs/CIDRs allowed
  331. api_paste_code=# if the limit is reached, the entries will be rotated so that the oldest
  332. api_paste_code=# entries (i.e. the ones at the top) will be removed and the latest is added.
  333. api_paste_code=# The limit is only checked when using csf -d (which is what lfd also uses)
  334. api_paste_code=# Set to 0 to disable limiting
  335. api_paste_code=#
  336. api_paste_code=# For implementations wishing to set this value significantly higher, we
  337. api_paste_code=# recommend using the IPSET option
  338. api_paste_code=DENY_IP_LIMIT = "200"
  339. api_paste_code=
  340. api_paste_code=# Limit the number of IP's kept in the temprary IP ban list. If the limit is
  341. api_paste_code=# reached the oldest IP's in the ban list will be removed and allowed
  342. api_paste_code=# regardless of the amount of time remaining for the block
  343. api_paste_code=# Set to 0 to disable limiting
  344. api_paste_code=DENY_TEMP_IP_LIMIT = "100"
  345. api_paste_code=
  346. api_paste_code=# Enable login failure detection daemon (lfd). If set to 0 none of the
  347. api_paste_code=# following settings will have any effect as the daemon won't start.
  348. api_paste_code=LF_DAEMON = "1"
  349. api_paste_code=
  350. api_paste_code=# Check whether csf appears to have been stopped and restart if necessary,
  351. api_paste_code=# unless TESTING is enabled above. The check is done every 300 seconds
  352. api_paste_code=LF_CSF = "1"
  353. api_paste_code=
  354. api_paste_code=# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
  355. api_paste_code=# IP6TABLES_RESTORE in two ways:
  356. api_paste_code=#
  357. api_paste_code=# 1. On a clean server reboot the entire csf iptables configuration is saved
  358. api_paste_code=# and then restored where possible to provide a near instant firewall
  359. api_paste_code=# startup[*]
  360. api_paste_code=#
  361. api_paste_code=# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
  362. api_paste_code=# BOGON, TOR are loaded using this method in a fraction of the time than if
  363. api_paste_code=# this setting is disabled
  364. api_paste_code=#
  365. api_paste_code=# [*]Not supported on all OS platforms
  366. api_paste_code=#
  367. api_paste_code=# Set to "0" to disable this functionality
  368. api_paste_code=FASTSTART = "1"
  369. api_paste_code=
  370. api_paste_code=# This option allows you to use ipset v6 for the following csf options:
  371. api_paste_code=# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
  372. api_paste_code=# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
  373. api_paste_code=#
  374. api_paste_code=# ipset will only be used with the above options when listing IPs and CIDRs.
  375. api_paste_code=# Advanced Allow Filters and temporary blocks use traditional iptables
  376. api_paste_code=#
  377. api_paste_code=# Using ipset moves the onus of ip matching against large lists away from
  378. api_paste_code=# iptables rules and to a purpose built and optimised database matching
  379. api_paste_code=# utility. It also simplifies the switching in of updated lists
  380. api_paste_code=#
  381. api_paste_code=# To use this option you must have a fully functioning installation of ipset
  382. api_paste_code=# installed either via rpm or source from http://ipset.netfilter.org/
  383. api_paste_code=#
  384. api_paste_code=# Note: Using ipset has many advantages, some disadvantages are that you will
  385. api_paste_code=# no longer see packet and byte counts against IPs and it makes identifying
  386. api_paste_code=# blocked/allowed IPs that little bit harder
  387. api_paste_code=#
  388. api_paste_code=# Note: If you mainly use IP address only entries in csf.deny, you can increase
  389. api_paste_code=# the value of DENY_IP_LIMIT significantly if you wish
  390. api_paste_code=#
  391. api_paste_code=# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
  392. api_paste_code=# containers even if it has been installed
  393. api_paste_code=#
  394. api_paste_code=# If you find any problems, please post on forums.configserver.com with full
  395. api_paste_code=# details of the issue
  396. api_paste_code=LF_IPSET = "1"
  397. api_paste_code=
  398. api_paste_code=# Versions of iptables greater or equal to v1.4.20 should support the --wait
  399. api_paste_code=# option. This forces iptables commands that use the option to wait until a
  400. api_paste_code=# lock by any other process using iptables completes, rather than simply
  401. api_paste_code=# failing
  402. api_paste_code=#
  403. api_paste_code=# Enabling this feature will add the --wait option to iptables commands
  404. api_paste_code=#
  405. api_paste_code=# NOTE: The disadvantage of using this option is that any iptables command that
  406. api_paste_code=# uses it will hang until the lock is released. This could cause a cascade of
  407. api_paste_code=# hung processes trying to issue iptables commands. To try and avoid this issue
  408. api_paste_code=# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
  409. api_paste_code=# a failure if reached
  410. api_paste_code=WAITLOCK = "1"
  411. api_paste_code=WAITLOCK_TIMEOUT = "300"
  412. api_paste_code=
  413. api_paste_code=# The following sets the hashsize for ipset sets, which must be a power of 2.
  414. api_paste_code=#
  415. api_paste_code=# Note: Increasing this value will consume more memory for all sets
  416. api_paste_code=# Default: "1024"
  417. api_paste_code=LF_IPSET_HASHSIZE = "1024"
  418. api_paste_code=
  419. api_paste_code=# The following sets the maxelem for ipset sets.
  420. api_paste_code=#
  421. api_paste_code=# Note: Increasing this value will consume more memory for all sets
  422. api_paste_code=# Default: "65536"
  423. api_paste_code=LF_IPSET_MAXELEM = "65536"
  424. api_paste_code=
  425. api_paste_code=# If you enable this option then whenever a CLI request to restart csf is used
  426. api_paste_code=# lfd will restart csf instead within LF_PARSE seconds
  427. api_paste_code=#
  428. api_paste_code=# This feature can be helpful for restarting configurations that cannot use
  429. api_paste_code=# FASTSTART
  430. api_paste_code=LFDSTART = "0"
  431. api_paste_code=
  432. api_paste_code=# Enable verbose output of iptables commands
  433. api_paste_code=VERBOSE = "1"
  434. api_paste_code=
  435. api_paste_code=# Drop out of order packets and packets in an INVALID state in iptables
  436. api_paste_code=# connection tracking
  437. api_paste_code=PACKET_FILTER = "1"
  438. api_paste_code=
  439. api_paste_code=# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
  440. api_paste_code=LF_LOOKUPS = "1"
  441. api_paste_code=
  442. api_paste_code=# Custom styling is possible in the csf UI. See the readme.txt for more
  443. api_paste_code=# information under "UI skinning and Mobile View"
  444. api_paste_code=#
  445. api_paste_code=# This option enables the use of custom styling. If the styling fails to work
  446. api_paste_code=# correctly, e.g. custom styling does not take into account a change in the
  447. api_paste_code=# standard csf UI, then disabling this option will return the standard UI
  448. api_paste_code=STYLE_CUSTOM = "0"
  449. api_paste_code=
  450. api_paste_code=# This option disables the presence of the Mobile View in the csf UI
  451. api_paste_code=STYLE_MOBILE = "1"
  452. api_paste_code=
  453. api_paste_code=###############################################################################
  454. api_paste_code=# SECTION:SMTP Settings
  455. api_paste_code=###############################################################################
  456. api_paste_code=# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
  457. api_paste_code=# to use the exim/sendmail binary instead of sockets access). This replaces the
  458. api_paste_code=# protection as WHM > Tweak Settings > SMTP Tweaks
  459. api_paste_code=#
  460. api_paste_code=# This option uses the iptables ipt_owner/xt_owner module and must be loaded
  461. api_paste_code=# for it to work. It may not be available on some VPS platforms
  462. api_paste_code=#
  463. api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
  464. api_paste_code=# this server
  465. api_paste_code=SMTP_BLOCK = "0"
  466. api_paste_code=
  467. api_paste_code=# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
  468. api_paste_code=# on the server (e.g. for webmail or web scripts) then enable this option to
  469. api_paste_code=# allow outgoing SMTP connections to the loopback device
  470. api_paste_code=SMTP_ALLOWLOCAL = "1"
  471. api_paste_code=
  472. api_paste_code=# This option redirects outgoing SMTP connections destined for remote servers
  473. api_paste_code=# for non-bypass users to the local SMTP server to force local relaying of
  474. api_paste_code=# email. Such email may require authentication (SMTP AUTH)
  475. api_paste_code=SMTP_REDIRECT = "0"
  476. api_paste_code=
  477. api_paste_code=# This is a comma separated list of the ports to block. You should list all
  478. api_paste_code=# ports that exim is configured to listen on
  479. api_paste_code=SMTP_PORTS = "25,465,587"
  480. api_paste_code=
  481. api_paste_code=# Always allow the following comma separated users and groups to bypass
  482. api_paste_code=# SMTP_BLOCK
  483. api_paste_code=#
  484. api_paste_code=# Note: root (UID:0) is always allowed
  485. api_paste_code=SMTP_ALLOWUSER = ""
  486. api_paste_code=SMTP_ALLOWGROUP = "admin,mail,mailman"
  487. api_paste_code=
  488. api_paste_code=# This option will only allow SMTP AUTH to be advertised to the IP addresses
  489. api_paste_code=# listed in /etc/csf/csf.smtpauth on EXIM mail servers
  490. api_paste_code=#
  491. api_paste_code=# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
  492. api_paste_code=# additionally restrict access to specific countries
  493. api_paste_code=#
  494. api_paste_code=# This is to help limit attempts at distributed attacks against SMTP AUTH which
  495. api_paste_code=# are difficult to achive since port 25 needs to be open to relay email
  496. api_paste_code=#
  497. api_paste_code=# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
  498. api_paste_code=# connection, then SMTP AUTH will not accept logins, defeating the attacks
  499. api_paste_code=# without restricting mail relaying
  500. api_paste_code=#
  501. api_paste_code=# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
  502. api_paste_code=# that the lookup file in /etc/exim.smtpauth is regenerated from the
  503. api_paste_code=# information from /etc/csf/csf.smtpauth plus any countries listed in
  504. api_paste_code=# CC_ALLOW_SMTPAUTH
  505. api_paste_code=#
  506. api_paste_code=# NOTE: To make this option work you MUST make the modifications to exim.conf
  507. api_paste_code=# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
  508. api_paste_code=# after enabling the option here, otherwise this option will not work
  509. api_paste_code=#
  510. api_paste_code=# To enable this option, set to 1 and make the exim configuration changes
  511. api_paste_code=# To disable this option, set to 0 and undo the exim configuration changes
  512. api_paste_code=SMTPAUTH_RESTRICT = "0"
  513. api_paste_code=
  514. api_paste_code=###############################################################################
  515. api_paste_code=# SECTION:Port Flood Settings
  516. api_paste_code=###############################################################################
  517. api_paste_code=# Enable SYN Flood Protection. This option configures iptables to offer some
  518. api_paste_code=# protection from tcp SYN packet DOS attempts. You should set the RATE so that
  519. api_paste_code=# false-positives are kept to a minimum otherwise visitors may see connection
  520. api_paste_code=# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
  521. api_paste_code=# man page for the correct --limit rate syntax
  522. api_paste_code=#
  523. api_paste_code=# Note: This option should ONLY be enabled if you know you are under a SYN
  524. api_paste_code=# flood attack as it will slow down all new connections from any IP address to
  525. api_paste_code=# the server if triggered
  526. api_paste_code=SYNFLOOD = "0"
  527. api_paste_code=SYNFLOOD_RATE = "100/s"
  528. api_paste_code=SYNFLOOD_BURST = "150"
  529. api_paste_code=
  530. api_paste_code=# Connection Limit Protection. This option configures iptables to offer more
  531. api_paste_code=# protection from DOS attacks against specific ports. It can also be used as a
  532. api_paste_code=# way to simply limit resource usage by IP address to specific server services.
  533. api_paste_code=# This option limits the number of concurrent new connections per IP address
  534. api_paste_code=# that can be made to specific ports
  535. api_paste_code=#
  536. api_paste_code=# This feature does not work on servers that do not have the iptables module
  537. api_paste_code=# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
  538. api_paste_code=# server admins should check with their VPS host provider that the iptables
  539. api_paste_code=# module is included
  540. api_paste_code=#
  541. api_paste_code=# For further information and syntax refer to the Connection Limit Protection
  542. api_paste_code=# section of the csf readme.txt
  543. api_paste_code=#
  544. api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
  545. api_paste_code=# this server
  546. api_paste_code=CONNLIMIT = ""
  547. api_paste_code=
  548. api_paste_code=# Port Flood Protection. This option configures iptables to offer protection
  549. api_paste_code=# from DOS attacks against specific ports. This option limits the number of
  550. api_paste_code=# new connections per time interval that can be made to specific ports
  551. api_paste_code=#
  552. api_paste_code=# This feature does not work on servers that do not have the iptables module
  553. api_paste_code=# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
  554. api_paste_code=# server admins should check with their VPS host provider that the iptables
  555. api_paste_code=# module is included
  556. api_paste_code=#
  557. api_paste_code=# For further information and syntax refer to the Port Flood Protection
  558. api_paste_code=# section of the csf readme.txt
  559. api_paste_code=#
  560. api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
  561. api_paste_code=# this server
  562. api_paste_code=PORTFLOOD = ""
  563. api_paste_code=# PORTFLOOD = "21;tcp;10;60,53;tcp;10;60,80;tcp;10;60,443;tcp;10;60"
  564. api_paste_code=
  565. api_paste_code=
  566. api_paste_code=# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
  567. api_paste_code=# These typically originate from exploit scripts uploaded through vulnerable
  568. api_paste_code=# web scripts. Care should be taken on servers that use services that utilise
  569. api_paste_code=# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
  570. api_paste_code=# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
  571. api_paste_code=#
  572. api_paste_code=# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
  573. api_paste_code=UDPFLOOD = "0"
  574. api_paste_code=UDPFLOOD_LIMIT = "100/s"
  575. api_paste_code=UDPFLOOD_BURST = "500"
  576. api_paste_code=
  577. api_paste_code=# This is a list of usernames that should not be rate limited, such as "named"
  578. api_paste_code=# to prevent bind traffic from being limited.
  579. api_paste_code=#
  580. api_paste_code=# Note: root (UID:0) is always allowed
  581. api_paste_code=UDPFLOOD_ALLOWUSER = "named"
  582. api_paste_code=
  583. api_paste_code=###############################################################################
  584. api_paste_code=# SECTION:Logging Settings
  585. api_paste_code=###############################################################################
  586. api_paste_code=# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
  587. api_paste_code=# perl module Sys::Syslog installed to use this feature
  588. api_paste_code=SYSLOG = "0"
  589. api_paste_code=
  590. api_paste_code=# Drop target for incoming iptables rules. This can be set to either DROP or
  591. api_paste_code=# REJECT. REJECT will send back an error packet, DROP will not respond at all.
  592. api_paste_code=# REJECT is more polite, however it does provide extra information to a hacker
  593. api_paste_code=# and lets them know that a firewall is blocking their attempts. DROP hangs
  594. api_paste_code=# their connection, thereby frustrating attempts to port scan the server
  595. api_paste_code=DROP = "DROP"
  596. api_paste_code=
  597. api_paste_code=# Drop target for outgoing iptables rules. This can be set to either DROP or
  598. api_paste_code=# REJECT as with DROP, however as such connections are from this server it is
  599. api_paste_code=# better to REJECT connections to closed ports rather than to DROP them. This
  600. api_paste_code=# helps to immediately free up server resources rather than tying them up until
  601. api_paste_code=# a connection times out. It also tells the process making the connection that
  602. api_paste_code=# it has immediately failed
  603. api_paste_code=#
  604. api_paste_code=# It is possible that some monolithic kernels may not support the REJECT
  605. api_paste_code=# target. If this is the case, csf checks before using REJECT and falls back to
  606. api_paste_code=# using DROP, issuing a warning to set this to DROP instead
  607. api_paste_code=DROP_OUT = "REJECT"
  608. api_paste_code=
  609. api_paste_code=# Enable logging of dropped connections to blocked ports to syslog, usually
  610. api_paste_code=# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
  611. api_paste_code=DROP_LOGGING = "1"
  612. api_paste_code=
  613. api_paste_code=# Enable logging of dropped incoming connections from blocked IP addresses
  614. api_paste_code=#
  615. api_paste_code=# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
  616. api_paste_code=DROP_IP_LOGGING = "0"
  617. api_paste_code=
  618. api_paste_code=# Enable logging of dropped outgoing connections
  619. api_paste_code=#
  620. api_paste_code=# Note: Only outgoing SYN packets for TCP connections are logged, other
  621. api_paste_code=# protocols log all packets
  622. api_paste_code=#
  623. api_paste_code=# We recommend that you enable this option
  624. api_paste_code=DROP_OUT_LOGGING = "1"
  625. api_paste_code=
  626. api_paste_code=# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
  627. api_paste_code=# out (where available) which can help track abuse
  628. api_paste_code=DROP_UID_LOGGING = "1"
  629. api_paste_code=
  630. api_paste_code=# Only log incoming reserved port dropped connections (0:1023). This can reduce
  631. api_paste_code=# the amount of log noise from dropped connections, but will affect options
  632. api_paste_code=# such as Port Scan Tracking (PS_INTERVAL)
  633. api_paste_code=DROP_ONLYRES = "0"
  634. api_paste_code=
  635. api_paste_code=# Commonly blocked ports that you do not want logging as they tend to just fill
  636. api_paste_code=# up the log file. These ports are specifically blocked (applied to TCP and UDP
  637. api_paste_code=# protocols) for incoming connections
  638. api_paste_code=DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
  639. api_paste_code=
  640. api_paste_code=# Log packets dropped by the packet filtering option PACKET_FILTER
  641. api_paste_code=DROP_PF_LOGGING = "0"
  642. api_paste_code=
  643. api_paste_code=# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
  644. api_paste_code=# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
  645. api_paste_code=# addresses breaking the Connection Limit Protection will be blocked
  646. api_paste_code=CONNLIMIT_LOGGING = "0"
  647. api_paste_code=
  648. api_paste_code=# Enable logging of UDP floods. This should be enabled, especially with User ID
  649. api_paste_code=# Tracking enabled
  650. api_paste_code=UDPFLOOD_LOGGING = "1"
  651. api_paste_code=
  652. api_paste_code=# Send an alert if log file flooding is detected which causes lfd to skip log
  653. api_paste_code=# lines to prevent lfd from looping. If this alert is sent you should check the
  654. api_paste_code=# reported log file for the reason for the flooding
  655. api_paste_code=LOGFLOOD_ALERT = "0"
  656. api_paste_code=
  657. api_paste_code=###############################################################################
  658. api_paste_code=# SECTION:Reporting Settings
  659. api_paste_code=###############################################################################
  660. api_paste_code=# By default, lfd will send alert emails using the relevant alert template to
  661. api_paste_code=# the To: address configured within that template. Setting the following
  662. api_paste_code=# option will override the configured To: field in all lfd alert emails
  663. api_paste_code=#
  664. api_paste_code=# Leave this option empty to use the To: field setting in each alert template
  665. api_paste_code=LF_ALERT_TO = "admin@edu.ryukyu"
  666. api_paste_code=
  667. api_paste_code=# By default, lfd will send alert emails using the relevant alert template from
  668. api_paste_code=# the From: address configured within that template. Setting the following
  669. api_paste_code=# option will override the configured From: field in all lfd alert emails
  670. api_paste_code=#
  671. api_paste_code=# Leave this option empty to use the From: field setting in each alert template
  672. api_paste_code=LF_ALERT_FROM = "csf@localhost"
  673. api_paste_code=
  674. api_paste_code=# By default, lfd will send all alerts using the SENDMAIL binary. To send using
  675. api_paste_code=# SMTP directly, you can set the following to a relaying SMTP server, e.g.
  676. api_paste_code=# "127.0.0.1". Leave this setting blank to use SENDMAIL
  677. api_paste_code=LF_ALERT_SMTP = ""
  678. api_paste_code=
  679. api_paste_code=# Block Reporting. lfd can run an external script when it performs and IP
  680. api_paste_code=# address block following for example a login failure. The following setting
  681. api_paste_code=# is to the full path of the external script which must be executable. See
  682. api_paste_code=# readme.txt for format details
  683. api_paste_code=#
  684. api_paste_code=# Leave this setting blank to disable
  685. api_paste_code=BLOCK_REPORT = ""
  686. api_paste_code=
  687. api_paste_code=# To also run an external script when a temporary block is unblocked. The
  688. api_paste_code=# following setting can be the full path of the external script which must be
  689. api_paste_code=# executable. See readme.txt for format details
  690. api_paste_code=#
  691. api_paste_code=# Leave this setting blank to disable
  692. api_paste_code=UNBLOCK_REPORT = ""
  693. api_paste_code=
  694. api_paste_code=# In addition to the standard lfd email alerts, you can additionally enable the
  695. api_paste_code=# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only
  696. api_paste_code=# block alert messages will be sent. The reports use our schema at:
  697. api_paste_code=# https://download.configserver.com/abuse_login-attack_0.2.json
  698. api_paste_code=#
  699. api_paste_code=# These reports are in a format accepted by many Netblock owners and should
  700. api_paste_code=# help them investigate abuse. This option is not designed to automatically
  701. api_paste_code=# forward these reports to the Netblock owners and should be checked for
  702. api_paste_code=# false-positive blocks before reporting
  703. api_paste_code=#
  704. api_paste_code=# If available, the report will also include the abuse contact for the IP from
  705. api_paste_code=# the Abusix Contact DB: https://abusix.com/contactdb.html
  706. api_paste_code=#
  707. api_paste_code=# Note: The following block types are not reported through this feature:
  708. api_paste_code=# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
  709. api_paste_code=X_ARF = "0"
  710. api_paste_code=
  711. api_paste_code=# By default, lfd will send emails from the root forwarder. Setting the
  712. api_paste_code=# following option will override this
  713. api_paste_code=X_ARF_FROM = ""
  714. api_paste_code=
  715. api_paste_code=# By default, lfd will send emails to the root forwarder. Setting the following
  716. api_paste_code=# option will override this
  717. api_paste_code=X_ARF_TO = ""
  718. api_paste_code=
  719. api_paste_code=# If you want to automatically send reports to the abuse contact where found,
  720. api_paste_code=# you can enable the following option
  721. api_paste_code=#
  722. api_paste_code=# Note: You MUST set X_ARF_FROM to a valid email address for this option to
  723. api_paste_code=# work. This is so that the abuse contact can reply to the report
  724. api_paste_code=#
  725. api_paste_code=# However, you should be aware that without manual checking you could be
  726. api_paste_code=# reporting innocent IP addresses, including your own clients, yourself and
  727. api_paste_code=# your own servers
  728. api_paste_code=#
  729. api_paste_code=# Additionally, just because a contact address is found, does not mean that
  730. api_paste_code=# there is anyone on the end of it reading, processing or acting on such
  731. api_paste_code=# reports and you could conceivably reported for sending spam
  732. api_paste_code=#
  733. api_paste_code=# We do not recommend enabling this option. Abuse reports should be checked and
  734. api_paste_code=# verified before being forwarded to the abuse contact
  735. api_paste_code=X_ARF_ABUSE = "0"
  736. api_paste_code=
  737. api_paste_code=###############################################################################
  738. api_paste_code=# SECTION:Temp to Perm/Netblock Settings
  739. api_paste_code=###############################################################################
  740. api_paste_code=# Temporary to Permanent IP blocking. The following enables this feature to
  741. api_paste_code=# permanently block IP addresses that have been temporarily blocked more than
  742. api_paste_code=# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
  743. api_paste_code=# LF_PERMBLOCK to "1" to enable this feature
  744. api_paste_code=#
  745. api_paste_code=# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
  746. api_paste_code=# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
  747. api_paste_code=# (TTL) for blocked IPs, to be effective
  748. api_paste_code=#
  749. api_paste_code=# Set LF_PERMBLOCK to "0" to disable this feature
  750. api_paste_code=LF_PERMBLOCK = "1"
  751. api_paste_code=LF_PERMBLOCK_INTERVAL = "86400"
  752. api_paste_code=LF_PERMBLOCK_COUNT = "4"
  753. api_paste_code=LF_PERMBLOCK_ALERT = "1"
  754. api_paste_code=
  755. api_paste_code=# Permanently block IPs by network class. The following enables this feature
  756. api_paste_code=# to permanently block classes of IP address where individual IP addresses
  757. api_paste_code=# within the same class LF_NETBLOCK_CLASS have already been blocked more than
  758. api_paste_code=# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
  759. api_paste_code=# LF_NETBLOCK to "1" to enable this feature
  760. api_paste_code=#
  761. api_paste_code=# This can be an affective way of blocking DDOS attacks launched from within
  762. api_paste_code=# the same network class
  763. api_paste_code=#
  764. api_paste_code=# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
  765. api_paste_code=# consideration is required when blocking network classes A or B
  766. api_paste_code=#
  767. api_paste_code=# Set LF_NETBLOCK to "0" to disable this feature
  768. api_paste_code=LF_NETBLOCK = "0"
  769. api_paste_code=LF_NETBLOCK_INTERVAL = "86400"
  770. api_paste_code=LF_NETBLOCK_COUNT = "4"
  771. api_paste_code=LF_NETBLOCK_CLASS = "C"
  772. api_paste_code=LF_NETBLOCK_ALERT = "1"
  773. api_paste_code=
  774. api_paste_code=# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
  775. api_paste_code=# Great care should be taken with IPV6 netblock ranges due to the large number
  776. api_paste_code=# of addresses involved
  777. api_paste_code=#
  778. api_paste_code=# To disable IPv6 netblocks set to ""
  779. api_paste_code=LF_NETBLOCK_IPV6 = ""
  780. api_paste_code=
  781. api_paste_code=###############################################################################
  782. api_paste_code=# SECTION:Global Lists/DYNDNS/Blocklists
  783. api_paste_code=###############################################################################
  784. api_paste_code=# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
  785. api_paste_code=# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
  786. api_paste_code=# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
  787. api_paste_code=# chain, then flush and delete the old dynamic chain and rename the new chain.
  788. api_paste_code=#
  789. api_paste_code=# This prevents a small window of opportunity opening when an update occurs and
  790. api_paste_code=# the dynamic chain is flushed for the new rules.
  791. api_paste_code=#
  792. api_paste_code=# This option should not be enabled on servers with long dynamic chains (e.g.
  793. api_paste_code=# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
  794. api_paste_code=# Virtuozzo VPS servers with a restricted numiptent value. This is because each
  795. api_paste_code=# chain will effectively be duplicated while the update occurs, doubling the
  796. api_paste_code=# number of iptables rules
  797. api_paste_code=SAFECHAINUPDATE = "0"
  798. api_paste_code=
  799. api_paste_code=# If you wish to allow access from dynamic DNS records (for example if your IP
  800. api_paste_code=# address changes whenever you connect to the internet but you have a dedicated
  801. api_paste_code=# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
  802. api_paste_code=# records in csf.dyndns and then set the following to the number of seconds to
  803. api_paste_code=# poll for a change in the IP address. If the IP address has changed iptables
  804. api_paste_code=# will be updated.
  805. api_paste_code=#
  806. api_paste_code=# If the FQDN has multiple A records then all of the IP addresses will be
  807. api_paste_code=# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
  808. api_paste_code=# also be allowed.
  809. api_paste_code=#
  810. api_paste_code=# A setting of 600 would check for IP updates every 10 minutes. Set the value
  811. api_paste_code=# to 0 to disable the feature
  812. api_paste_code=DYNDNS = "0"
  813. api_paste_code=
  814. api_paste_code=# To always ignore DYNDNS IP addresses in lfd blocking, set the following
  815. api_paste_code=# option to 1
  816. api_paste_code=DYNDNS_IGNORE = "0"
  817. api_paste_code=
  818. api_paste_code=# The follow Global options allow you to specify a URL where csf can grab a
  819. api_paste_code=# centralised copy of an IP allow or deny block list of your own. You need to
  820. api_paste_code=# specify the full URL in the following options, i.e.:
  821. api_paste_code=# http://www.somelocation.com/allow.txt
  822. api_paste_code=#
  823. api_paste_code=# The actual retrieval of these IP's is controlled by lfd, so you need to set
  824. api_paste_code=# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
  825. api_paste_code=# will perform the retrieval when it runs and then again at the specified
  826. api_paste_code=# interval. A sensible interval would probably be every 3600 seconds (1 hour).
  827. api_paste_code=# A minimum value of 300 is enforced for LF_GLOBAL if enabled
  828. api_paste_code=#
  829. api_paste_code=# You do not have to specify both an allow and a deny file
  830. api_paste_code=#
  831. api_paste_code=# You can also configure a global ignore file for IP's that lfd should ignore
  832. api_paste_code=LF_GLOBAL = "0"
  833. api_paste_code=
  834. api_paste_code=GLOBAL_ALLOW = ""
  835. api_paste_code=GLOBAL_DENY = ""
  836. api_paste_code=GLOBAL_IGNORE = ""
  837. api_paste_code=
  838. api_paste_code=# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
  839. api_paste_code=# this to the URL of the file containing DYNDNS entries
  840. api_paste_code=GLOBAL_DYNDNS = ""
  841. api_paste_code=
  842. api_paste_code=# Set the following to the number of seconds to poll for a change in the IP
  843. api_paste_code=# address resoved from GLOBAL_DYNDNS
  844. api_paste_code=GLOBAL_DYNDNS_INTERVAL = "600"
  845. api_paste_code=
  846. api_paste_code=# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
  847. api_paste_code=# option to 1
  848. api_paste_code=GLOBAL_DYNDNS_IGNORE = "0"
  849. api_paste_code=
  850. api_paste_code=# Blocklists are controlled by modifying /etc/csf/csf.blocklists
  851. api_paste_code=#
  852. api_paste_code=# If you don't want BOGON rules applied to specific NICs, then list them in
  853. api_paste_code=# a comma separated list (e.g "eth1,eth2")
  854. api_paste_code=LF_BOGON_SKIP = ""
  855. api_paste_code=
  856. api_paste_code=# The following option can be used to select either HTTP::Tiny or
  857. api_paste_code=# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
  858. api_paste_code=# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
  859. api_paste_code=# have to be installed manually, but it can better support https:// URL's
  860. api_paste_code=# which also needs the LWP::Protocol::https perl module
  861. api_paste_code=#
  862. api_paste_code=# For example:
  863. api_paste_code=#
  864. api_paste_code=# On rpm based systems:
  865. api_paste_code=#
  866. api_paste_code=# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
  867. api_paste_code=#
  868. api_paste_code=# On APT based systems:
  869. api_paste_code=#
  870. api_paste_code=# apt-get install libwww-perl liblwp-protocol-https-perl
  871. api_paste_code=#
  872. api_paste_code=# Via cpan:
  873. api_paste_code=#
  874. api_paste_code=# perl -MCPAN -eshell
  875. api_paste_code=# cpan> install LWP LWP::Protocol::https
  876. api_paste_code=#
  877. api_paste_code=# We recommend setting this set to "2" as upgrades to csf will be performed
  878. api_paste_code=# over SSL to https://download.configserver.com and
  879. api_paste_code=# https://download2.configserver.com
  880. api_paste_code=#
  881. api_paste_code=# "1" = HTTP::Tiny
  882. api_paste_code=# "2" = LWP::UserAgent
  883. api_paste_code=URLGET = "2"
  884. api_paste_code=
  885. api_paste_code=# If you need csf/lfd to use a proxy, then you can set this option to the URL
  886. api_paste_code=# of the proxy. The proxy provided will be used for both HTTP and HTTPS
  887. api_paste_code=# connections
  888. api_paste_code=URLPROXY = ""
  889. api_paste_code=
  890. api_paste_code=###############################################################################
  891. api_paste_code=# SECTION:Country Code Lists and Settings
  892. api_paste_code=###############################################################################
  893. api_paste_code=# Country Code to CIDR allow/deny. In the following two options you can allow
  894. api_paste_code=# or deny whole country CIDR ranges. The CIDR blocks are generated from the
  895. api_paste_code=# MaxMind GeoLite2 Country database at:
  896. api_paste_code=# https://dev.MaxMind.com/geoip/geoip2/geolite2/
  897. api_paste_code=# This feature relies entirely on that service being available
  898. api_paste_code=#
  899. api_paste_code=# Specify the the two-letter ISO Country Code(s). The iptables rules are for
  900. api_paste_code=# incoming connections only
  901. api_paste_code=#
  902. api_paste_code=# Additionally, ASN numbers can also be added to the comma separated lists
  903. api_paste_code=# below that also list Country Codes. The same WARNINGS for Country Codes apply
  904. api_paste_code=# to the use of ASNs. More about Autonomous System Numbers (ASN):
  905. api_paste_code=# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
  906. api_paste_code=# ASNs must be listed as ASnnnn (where nnnn is the ASN number)
  907. api_paste_code=#
  908. api_paste_code=# You should consider using LF_IPSET when using any of the following options
  909. api_paste_code=#
  910. api_paste_code=# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
  911. api_paste_code=# non-geographic IP address designations for their clients
  912. api_paste_code=#
  913. api_paste_code=# WARNING: Some of the CIDR lists are huge and each one requires a rule within
  914. api_paste_code=# the incoming iptables chain. This can result in significant performance
  915. api_paste_code=# overheads and could render the server inaccessible in some circumstances. For
  916. api_paste_code=# this reason (amongst others) we do not recommend using these options
  917. api_paste_code=#
  918. api_paste_code=# WARNING: Due to the resource constraints on VPS servers this feature should
  919. api_paste_code=# not be used on such systems unless you choose very small CC zones
  920. api_paste_code=#
  921. api_paste_code=# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
  922. api_paste_code=# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
  923. api_paste_code=# preferred
  924. api_paste_code=#
  925. api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  926. api_paste_code=CC_DENY = ""
  927. api_paste_code=CC_ALLOW = ""
  928. api_paste_code=
  929. api_paste_code=# An alternative to CC_ALLOW is to only allow access from the following
  930. api_paste_code=# countries but still filter based on the port and packets rules. All other
  931. api_paste_code=# connections are dropped
  932. api_paste_code=CC_ALLOW_FILTER = ""
  933. api_paste_code=
  934. api_paste_code=# This option allows access from the following countries to specific ports
  935. api_paste_code=# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
  936. api_paste_code=#
  937. api_paste_code=# Note: The rules for this feature are inserted after the allow and deny
  938. api_paste_code=# rules to still allow blocking of IP addresses
  939. api_paste_code=#
  940. api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  941. api_paste_code=CC_ALLOW_PORTS = ""
  942. api_paste_code=
  943. api_paste_code=# All listed ports should be removed from TCP_IN/UDP_IN to block access from
  944. api_paste_code=# elsewhere. This option uses the same format as TCP_IN/UDP_IN
  945. api_paste_code=#
  946. api_paste_code=# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
  947. api_paste_code=# then only counties listed in CC_ALLOW_PORTS can access FTP
  948. api_paste_code=CC_ALLOW_PORTS_TCP = ""
  949. api_paste_code=CC_ALLOW_PORTS_UDP = ""
  950. api_paste_code=
  951. api_paste_code=# This option denies access from the following countries to specific ports
  952. api_paste_code=# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
  953. api_paste_code=#
  954. api_paste_code=# Note: The rules for this feature are inserted after the allow and deny
  955. api_paste_code=# rules to still allow allowing of IP addresses
  956. api_paste_code=#
  957. api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  958. api_paste_code=CC_DENY_PORTS = ""
  959. api_paste_code=
  960. api_paste_code=# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
  961. api_paste_code=# NOT be removed from TCP_IN/UDP_IN
  962. api_paste_code=#
  963. api_paste_code=# An example would be to list port 21 here then counties listed in
  964. api_paste_code=# CC_DENY_PORTS cannot access FTP
  965. api_paste_code=CC_DENY_PORTS_TCP = ""
  966. api_paste_code=CC_DENY_PORTS_UDP = ""
  967. api_paste_code=
  968. api_paste_code=# This Country Code list will prevent lfd from blocking IP address hits for the
  969. api_paste_code=# listed CC's
  970. api_paste_code=#
  971. api_paste_code=# CC_LOOKUPS must be enabled to use this option
  972. api_paste_code=CC_IGNORE = ""
  973. api_paste_code=
  974. api_paste_code=# This Country Code list will only allow SMTP AUTH to be advertised to the
  975. api_paste_code=# listed countries in EXIM. This is to help limit attempts at distributed
  976. api_paste_code=# attacks against SMTP AUTH which are difficult to achive since port 25 needs
  977. api_paste_code=# to be open to relay email
  978. api_paste_code=#
  979. api_paste_code=# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
  980. api_paste_code=# connection, then SMTP AUTH will not accept logins, defeating the attacks
  981. api_paste_code=# without restricting mail relaying
  982. api_paste_code=#
  983. api_paste_code=# This option can generate a very large list of IP addresses that could easily
  984. api_paste_code=# severely impact on SMTP (mail) performance, so care must be taken when
  985. api_paste_code=# selecting countries and if performance issues ensue
  986. api_paste_code=#
  987. api_paste_code=# The option SMTPAUTH_RESTRICT must be enabled to use this option
  988. api_paste_code=CC_ALLOW_SMTPAUTH = ""
  989. api_paste_code=
  990. api_paste_code=# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
  991. api_paste_code=# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
  992. api_paste_code=# help reduce the number of CC entries and may improve iptables throughput.
  993. api_paste_code=# Obviously, this will deny/allow fewer IP addresses depending on how small you
  994. api_paste_code=# configure the option
  995. api_paste_code=#
  996. api_paste_code=# For example, to ignore all CIDR (and single IP) entries small than a /16, set
  997. api_paste_code=# this option to "16". Set to "" to block all CC IP addresses
  998. api_paste_code=CC_DROP_CIDR = ""
  999. api_paste_code=
  1000. api_paste_code=# Display Country Code and Country for reported IP addresses. This option can
  1001. api_paste_code=# be configured to use the MaxMind Country Database or the more detailed (and
  1002. api_paste_code=# much larger and therefore slower) MaxMind City Database. An additional option
  1003. api_paste_code=# is also available if you cannot use the MaxMind databases
  1004. api_paste_code=#
  1005. api_paste_code=# "0" - disable
  1006. api_paste_code=# "1" - Reports: Country Code and Country
  1007. api_paste_code=# "2" - Reports: Country Code and Country and Region and City
  1008. api_paste_code=# "3" - Reports: Country Code and Country and Region and City and ASN
  1009. api_paste_code=# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
  1010. api_paste_code=#
  1011. api_paste_code=# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
  1012. api_paste_code=# uses a URL-based lookup from a third-party provider at https://freegeoip.net
  1013. api_paste_code=# and so avoids having to download and process the large databases. Please
  1014. api_paste_code=# visit the https://freegeoip.net and read their limitations and respect that
  1015. api_paste_code=# this option will either cease to function or be removed by us if that site is
  1016. api_paste_code=# abused or overloaded. ONLY use this option if you have difficulties using the
  1017. api_paste_code=# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
  1018. api_paste_code=# CC_* options above, which will continue to use the MaxMind databases
  1019. api_paste_code=#
  1020. api_paste_code=CC_LOOKUPS = "1"
  1021. api_paste_code=
  1022. api_paste_code=# Display Country Code and Country for reported IPv6 addresses using the
  1023. api_paste_code=# MaxMind Country IPv6 Database
  1024. api_paste_code=#
  1025. api_paste_code=# "0" - disable
  1026. api_paste_code=# "1" - enable and report the detail level as specified in CC_LOOKUPS
  1027. api_paste_code=#
  1028. api_paste_code=# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
  1029. api_paste_code=# PORTFLOOD
  1030. api_paste_code=CC6_LOOKUPS = "0"
  1031. api_paste_code=
  1032. api_paste_code=# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
  1033. api_paste_code=# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
  1034. api_paste_code=# days)
  1035. api_paste_code=CC_INTERVAL = "14"
  1036. api_paste_code=
  1037. api_paste_code=###############################################################################
  1038. api_paste_code=# SECTION:Login Failure Blocking and Alerts
  1039. api_paste_code=###############################################################################
  1040. api_paste_code=# The following[*] triggers are application specific. If you set LF_TRIGGER to
  1041. api_paste_code=# "0" the value of each trigger is the number of failures against that
  1042. api_paste_code=# application that will trigger lfd to block the IP address
  1043. api_paste_code=#
  1044. api_paste_code=# If you set LF_TRIGGER to a value greater than "0" then the following[*]
  1045. api_paste_code=# application triggers are simply on or off ("0" or "1") and the value of
  1046. api_paste_code=# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
  1047. api_paste_code=# to block the IP address
  1048. api_paste_code=#
  1049. api_paste_code=# Setting the application trigger to "0" disables it
  1050. api_paste_code=LF_TRIGGER = "0"
  1051. api_paste_code=
  1052. api_paste_code=# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
  1053. api_paste_code=# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
  1054. api_paste_code=# "1" and the IP address will be blocked temporarily for that value in seconds.
  1055. api_paste_code=# For example:
  1056. api_paste_code=# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
  1057. api_paste_code=# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
  1058. api_paste_code=#
  1059. api_paste_code=# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
  1060. api_paste_code=# in the same way as above and LF_TRIGGER_PERM serves no function
  1061. api_paste_code=LF_TRIGGER_PERM = "1"
  1062. api_paste_code=
  1063. api_paste_code=# To only block access to the failed application instead of a complete block
  1064. api_paste_code=# for an ip address, you can set the following to "1", but LF_TRIGGER must be
  1065. api_paste_code=# set to "0" with specific application[*] trigger levels also set appropriately
  1066. api_paste_code=#
  1067. api_paste_code=# The ports that are blocked can be configured by changing the PORTS_* options
  1068. api_paste_code=LF_SELECT = "0"
  1069. api_paste_code=
  1070. api_paste_code=# Send an email alert if an IP address is blocked by one of the [*] triggers
  1071. api_paste_code=LF_EMAIL_ALERT = "1"
  1072. api_paste_code=
  1073. api_paste_code=# [*]Enable login failure detection of sshd connections
  1074. api_paste_code=#
  1075. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1076. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1077. api_paste_code=LF_SSHD = "5"
  1078. api_paste_code=LF_SSHD_PERM = "1"
  1079. api_paste_code=
  1080. api_paste_code=# [*]Enable login failure detection of ftp connections
  1081. api_paste_code=#
  1082. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1083. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1084. api_paste_code=LF_FTPD = "10"
  1085. api_paste_code=LF_FTPD_PERM = "1"
  1086. api_paste_code=
  1087. api_paste_code=# [*]Enable login failure detection of SMTP AUTH connections
  1088. api_paste_code=LF_SMTPAUTH = "5"
  1089. api_paste_code=LF_SMTPAUTH_PERM = "1"
  1090. api_paste_code=
  1091. api_paste_code=# [*]Enable syntax failure detection of Exim connections
  1092. api_paste_code=LF_EXIMSYNTAX = "10"
  1093. api_paste_code=LF_EXIMSYNTAX_PERM = "1"
  1094. api_paste_code=
  1095. api_paste_code=# [*]Enable login failure detection of pop3 connections
  1096. api_paste_code=#
  1097. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1098. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1099. api_paste_code=LF_POP3D = "0"
  1100. api_paste_code=LF_POP3D_PERM = "1"
  1101. api_paste_code=
  1102. api_paste_code=# [*]Enable login failure detection of imap connections
  1103. api_paste_code=#
  1104. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1105. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1106. api_paste_code=LF_IMAPD = "0"
  1107. api_paste_code=LF_IMAPD_PERM = "1"
  1108. api_paste_code=
  1109. api_paste_code=# [*]Enable login failure detection of Apache .htpasswd connections
  1110. api_paste_code=# Due to the often high logging rate in the Apache error log, you might want to
  1111. api_paste_code=# enable this option only if you know you are suffering from attacks against
  1112. api_paste_code=# password protected directories
  1113. api_paste_code=LF_HTACCESS = "5"
  1114. api_paste_code=LF_HTACCESS_PERM = "1"
  1115. api_paste_code=
  1116. api_paste_code=# [*]Enable failure detection of repeated Apache mod_security rule triggers
  1117. api_paste_code=LF_MODSEC = "5"
  1118. api_paste_code=LF_MODSEC_PERM = "1"
  1119. api_paste_code=
  1120. api_paste_code=# [*]Enable login failure detection of VestaCP connections
  1121. api_paste_code=LF_VESTA = "5"
  1122. api_paste_code=LF_VESTA_PERM = "1"
  1123. api_paste_code=
  1124. api_paste_code=# [*]Enable detection of repeated BIND denied requests
  1125. api_paste_code=# This option should be enabled with care as it will prevent blocked IPs from
  1126. api_paste_code=# resolving any domains on the server. You might want to set the trigger value
  1127. api_paste_code=# reasonably high to avoid this
  1128. api_paste_code=# Example: LF_BIND = "100"
  1129. api_paste_code=LF_BIND = "0"
  1130. api_paste_code=LF_BIND_PERM = "1"
  1131. api_paste_code=
  1132. api_paste_code=# [*]Enable detection of repeated suhosin ALERTs
  1133. api_paste_code=# Example: LF_SUHOSIN = "5"
  1134. api_paste_code=#
  1135. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1136. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1137. api_paste_code=LF_SUHOSIN = "0"
  1138. api_paste_code=LF_SUHOSIN_PERM = "1"
  1139. api_paste_code=
  1140. api_paste_code=# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
  1141. api_paste_code=# This option will block IP addresses if cxs detects a hits from the
  1142. api_paste_code=# ModSecurity rule associated with it
  1143. api_paste_code=#
  1144. api_paste_code=# Note: This option takes precedence over LF_MODSEC and removes any hits
  1145. api_paste_code=# counted towards LF_MODSEC for the cxs rule
  1146. api_paste_code=#
  1147. api_paste_code=# This setting should probably set very low, perhaps to 1, if you want to
  1148. api_paste_code=# effectively block IP addresses for this trigger option
  1149. api_paste_code=LF_CXS = "0"
  1150. api_paste_code=LF_CXS_PERM = "1"
  1151. api_paste_code=
  1152. api_paste_code=# [*]Enable detection of repeated Apache mod_qos rule triggers
  1153. api_paste_code=LF_QOS = "0"
  1154. api_paste_code=LF_QOS_PERM = "1"
  1155. api_paste_code=
  1156. api_paste_code=# [*]Enable detection of repeated Apache symlink race condition triggers from
  1157. api_paste_code=# the Apache patch provided by:
  1158. api_paste_code=# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
  1159. api_paste_code=# This patch has also been included by cPanel via the easyapache option:
  1160. api_paste_code=# "Symlink Race Condition Protection"
  1161. api_paste_code=LF_SYMLINK = "0"
  1162. api_paste_code=LF_SYMLINK_PERM = "1"
  1163. api_paste_code=
  1164. api_paste_code=# [*]Enable login failure detection of webmin connections
  1165. api_paste_code=#
  1166. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1167. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1168. api_paste_code=LF_WEBMIN = "0"
  1169. api_paste_code=LF_WEBMIN_PERM = "1"
  1170. api_paste_code=
  1171. api_paste_code=# Send an email alert if anyone logs in successfully using SSH
  1172. api_paste_code=#
  1173. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1174. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1175. api_paste_code=LF_SSH_EMAIL_ALERT = "1"
  1176. api_paste_code=
  1177. api_paste_code=# Send an email alert if anyone uses su to access another account. This will
  1178. api_paste_code=# send an email alert whether the attempt to use su was successful or not
  1179. api_paste_code=#
  1180. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1181. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1182. api_paste_code=LF_SU_EMAIL_ALERT = "1"
  1183. api_paste_code=
  1184. api_paste_code=# Send an email alert if anyone accesses webmin
  1185. api_paste_code=#
  1186. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1187. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1188. api_paste_code=LF_WEBMIN_EMAIL_ALERT = "1"
  1189. api_paste_code=
  1190. api_paste_code=# Send an email alert if anyone logs in successfully to root on the console
  1191. api_paste_code=#
  1192. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1193. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1194. api_paste_code=LF_CONSOLE_EMAIL_ALERT = "1"
  1195. api_paste_code=
  1196. api_paste_code=# This option will keep track of the number of "File does not exist" errors in
  1197. api_paste_code=# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
  1198. api_paste_code=# seconds then the IP address will be blocked
  1199. api_paste_code=#
  1200. api_paste_code=# Care should be used with this option as it could generate many
  1201. api_paste_code=# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
  1202. api_paste_code=# so only use this option if you know you are under this type of attack
  1203. api_paste_code=#
  1204. api_paste_code=# A sensible setting for this would be quite high, perhaps 200
  1205. api_paste_code=#
  1206. api_paste_code=# To disable set to "0"
  1207. api_paste_code=LF_APACHE_404 = "0"
  1208. api_paste_code=
  1209. api_paste_code=# If this option is set to 1 the blocks will be permanent
  1210. api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
  1211. api_paste_code=# of seconds
  1212. api_paste_code=LF_APACHE_404_PERM = "3600"
  1213. api_paste_code=
  1214. api_paste_code=# This option will keep track of the number of "client denied by server
  1215. api_paste_code=# configuration" errors in HTACCESS_LOG. If the number of hits is more than
  1216. api_paste_code=# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
  1217. api_paste_code=#
  1218. api_paste_code=# Care should be used with this option as it could generate many
  1219. api_paste_code=# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
  1220. api_paste_code=# so only use this option if you know you are under this type of attack
  1221. api_paste_code=#
  1222. api_paste_code=# A sensible setting for this would be quite high, perhaps 200
  1223. api_paste_code=#
  1224. api_paste_code=# To disable set to "0"
  1225. api_paste_code=LF_APACHE_403 = "0"
  1226. api_paste_code=
  1227. api_paste_code=# If this option is set to 1 the blocks will be permanent
  1228. api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
  1229. api_paste_code=# of seconds
  1230. api_paste_code=LF_APACHE_403_PERM = "3600"
  1231. api_paste_code=
  1232. api_paste_code=# This option will keep track of the number of 401 failures in HTACCESS_LOG.
  1233. api_paste_code=# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
  1234. api_paste_code=# the IP address will be blocked
  1235. api_paste_code=#
  1236. api_paste_code=# To disable set to "0"
  1237. api_paste_code=LF_APACHE_401 = "0"
  1238. api_paste_code=
  1239. api_paste_code=# This option is used to determine if the Apache error_log format contains the
  1240. api_paste_code=# client port after the client IP. In Apache prior to v2.4, this was not the
  1241. api_paste_code=# case. In Apache v2.4 the error_log format can be configured using
  1242. api_paste_code=# ErrorLogFormat, making the port directive optional
  1243. api_paste_code=#
  1244. api_paste_code=# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
  1245. api_paste_code=# to the client IP by default. This makes determining client IPv6 addresses
  1246. api_paste_code=# difficult unless we know whether the port is being appended or not
  1247. api_paste_code=#
  1248. api_paste_code=# lfd will attempt to autodetect the correct value if this option is set to "0"
  1249. api_paste_code=# from the httpd binary found in common locations. If it fails to find a binary
  1250. api_paste_code=# it will be set to "2", unless specified here
  1251. api_paste_code=#
  1252. api_paste_code=# The value can be set here explicitly if the autodetection does not work:
  1253. api_paste_code=# 0 - autodetect
  1254. api_paste_code=# 1 - no port directive after client IP
  1255. api_paste_code=# 2 - port directive after client IP
  1256. api_paste_code=LF_APACHE_ERRPORT = "0"
  1257. api_paste_code=
  1258. api_paste_code=# If this option is set to 1 the blocks will be permanent
  1259. api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
  1260. api_paste_code=# of seconds
  1261. api_paste_code=LF_APACHE_401_PERM = "3600"
  1262. api_paste_code=
  1263. api_paste_code=# This option will send an alert if the ModSecurity IP persistent storage grows
  1264. api_paste_code=# excessively large: https://goo.gl/rGh5sF
  1265. api_paste_code=#
  1266. api_paste_code=# More information on cPanel servers here: https://goo.gl/vo6xTE
  1267. api_paste_code=#
  1268. api_paste_code=# LF_MODSECIPDB_FILE must be set to the correct location of the database file
  1269. api_paste_code=#
  1270. api_paste_code=# The check is performed at lfd startup and then once per hour, the template
  1271. api_paste_code=# used is modsecipdbalert.txt
  1272. api_paste_code=#
  1273. api_paste_code=# Set to "0" to disable this option, otherwise it is the threshold size of the
  1274. api_paste_code=# file to report in gigabytes, e.g. set to 5 for 5GB
  1275. api_paste_code=LF_MODSECIPDB_ALERT = "0"
  1276. api_paste_code=
  1277. api_paste_code=# This is the location of the persistent IP storage file on the server, e.g.:
  1278. api_paste_code=# /var/run/modsecurity/data/ip.pag
  1279. api_paste_code=# /var/cpanel/secdatadir/ip.pag
  1280. api_paste_code=# /var/cache/modsecurity/ip.pag
  1281. api_paste_code=# /usr/local/apache/conf/modsec/data/msa/ip.pag
  1282. api_paste_code=# /var/tmp/ip.pag
  1283. api_paste_code=# /tmp/ip.pag
  1284. api_paste_code=LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
  1285. api_paste_code=
  1286. api_paste_code=# System Exploit Checking. This option is designed to perform a series of tests
  1287. api_paste_code=# to send an alert in case a possible server compromise is detected
  1288. api_paste_code=#
  1289. api_paste_code=# To enable this feature set the following to the checking interval in seconds
  1290. api_paste_code=# (a value of 300 would seem sensible).
  1291. api_paste_code=#
  1292. api_paste_code=# To disable set to "0"
  1293. api_paste_code=LF_EXPLOIT = "300"
  1294. api_paste_code=
  1295. api_paste_code=# This comma separated list allows you to ignore tests LF_EXPLOIT performs
  1296. api_paste_code=#
  1297. api_paste_code=# For the SUPERUSER check, you can list usernames in csf.suignore to have them
  1298. api_paste_code=# ignored for that test
  1299. api_paste_code=#
  1300. api_paste_code=# Valid tests are:
  1301. api_paste_code=# SUPERUSER
  1302. api_paste_code=#
  1303. api_paste_code=# If you want to ignore a test add it to this as a comma separated list, e.g.
  1304. api_paste_code=# "SUPERUSER"
  1305. api_paste_code=LF_EXPLOIT_IGNORE = ""
  1306. api_paste_code=
  1307. api_paste_code=# Set the time interval to track login and other LF_ failures within (seconds),
  1308. api_paste_code=# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
  1309. api_paste_code=LF_INTERVAL = "3600"
  1310. api_paste_code=
  1311. api_paste_code=# This is how long the lfd process sleeps (in seconds) before processing the
  1312. api_paste_code=# log file entries and checking whether other events need to be triggered
  1313. api_paste_code=LF_PARSE = "5"
  1314. api_paste_code=
  1315. api_paste_code=# This is the interval that is used to flush reports of usernames, files and
  1316. api_paste_code=# pids so that persistent problems continue to be reported, in seconds.
  1317. api_paste_code=# A value of 3600 seems sensible
  1318. api_paste_code=LF_FLUSH = "3600"
  1319. api_paste_code=
  1320. api_paste_code=# Under some circumstances iptables can fail to include a rule instruction,
  1321. api_paste_code=# especially if more than one request is made concurrently. In this event, a
  1322. api_paste_code=# permanent block entry may exist in csf.deny, but not in iptables.
  1323. api_paste_code=#
  1324. api_paste_code=# This option instructs csf to deny an already blocked IP address the number
  1325. api_paste_code=# of times set. The downside, is that there will be multiple entries for an IP
  1326. api_paste_code=# address in csf.deny and possibly multiple rules for the same IP address in
  1327. api_paste_code=# iptables. This needs to be taken into consideration when unblocking such IP
  1328. api_paste_code=# addresses.
  1329. api_paste_code=#
  1330. api_paste_code=# Set to "0" to disable this feature. Do not set this too high for the reasons
  1331. api_paste_code=# detailed above (e.g. "5" should be more than enough)
  1332. api_paste_code=LF_REPEATBLOCK = "0"
  1333. api_paste_code=
  1334. api_paste_code=# By default csf will create both an inbound and outbound blocks from/to an IP
  1335. api_paste_code=# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
  1336. api_paste_code=# effective way to block IP traffic. This option instructs csf to only block
  1337. api_paste_code=# inbound traffic from those IP's and so reduces the number of iptables rules,
  1338. api_paste_code=# but at the expense of less effectiveness. For this reason we recommend
  1339. api_paste_code=# leaving this option disabled
  1340. api_paste_code=#
  1341. api_paste_code=# Set to "0" to disable this feature - the default
  1342. api_paste_code=LF_BLOCKINONLY = "0"
  1343. api_paste_code=
  1344. api_paste_code=###############################################################################
  1345. api_paste_code=# SECTION:CloudFlare
  1346. api_paste_code=###############################################################################
  1347. api_paste_code=# This features provides interaction with the CloudFlare Firewall
  1348. api_paste_code=#
  1349. api_paste_code=# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
  1350. api_paste_code=# iptables is concerned) come from the CloudFlare IP's. To counter this, an
  1351. api_paste_code=# Apache module (mod_cloudflare) is available that obtains the true attackers
  1352. api_paste_code=# IP from a custom HTTP header record (similar functionality is available
  1353. api_paste_code=# for other HTTP daemons
  1354. api_paste_code=#
  1355. api_paste_code=# However, despite now knowing the true attacking IP address, iptables cannot
  1356. api_paste_code=# be used to block that IP as the traffic is still coming from the CloudFlare
  1357. api_paste_code=# servers
  1358. api_paste_code=#
  1359. api_paste_code=# CloudFlare have provided a Firewall feature within the user account where
  1360. api_paste_code=# rules can be added to block, challenge or whitelist IP addresses
  1361. api_paste_code=#
  1362. api_paste_code=# Using the CloudFlare API, this feature adds and removes attacking IPs from
  1363. api_paste_code=# that firewall and provides CLI (and via the UI) additional commands
  1364. api_paste_code=#
  1365. api_paste_code=# See /etc/csf/readme.txt for more information about this feature and the
  1366. api_paste_code=# restrictions for its use BEFORE enabling this feature
  1367. api_paste_code=CF_ENABLE = "0"
  1368. api_paste_code=
  1369. api_paste_code=# This can be set to either "block" or "challenge" (see CloudFlare docs)
  1370. api_paste_code=CF_BLOCK = "block"
  1371. api_paste_code=
  1372. api_paste_code=# This setting determines how long the temporary block will apply within csf
  1373. api_paste_code=# and CloudFlare, keeping them in sync
  1374. api_paste_code=#
  1375. api_paste_code=# Block duration in seconds - overrides perm block or time of individual blocks
  1376. api_paste_code=# in lfd for block triggers
  1377. api_paste_code=CF_TEMP = "3600"
  1378. api_paste_code=
  1379. api_paste_code=###############################################################################
  1380. api_paste_code=# SECTION:Directory Watching
RAW Paste Data