Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###############################################################################
- api_paste_code=# SECTION:Initial Settings
- api_paste_code=###############################################################################
- api_paste_code=# Testing flag - enables a CRON job that clears iptables incase of
- api_paste_code=# configuration problems when you start csf. This should be enabled until you
- api_paste_code=# are sure that the firewall works - i.e. incase you get locked out of your
- api_paste_code=# server! Then do remember to set it to 0 and restart csf when you're sure
- api_paste_code=# everything is OK. Stopping csf will remove the line from /etc/crontab
- api_paste_code=#
- api_paste_code=# lfd will not start while this is enabled
- api_paste_code=TESTING = "0"
- api_paste_code=
- api_paste_code=# The interval for the crontab in minutes. Since this uses the system clock the
- api_paste_code=# CRON job will run at the interval past the hour and not from when you issue
- api_paste_code=# the start command. Therefore an interval of 5 minutes means the firewall
- api_paste_code=# will be cleared in 0-5 minutes from the firewall start
- api_paste_code=TESTING_INTERVAL = "5"
- api_paste_code=
- api_paste_code=# SECURITY WARNING
- api_paste_code=# ================
- api_paste_code=#
- api_paste_code=# Unfortunately, syslog and rsyslog allow end-users to log messages to some
- api_paste_code=# system logs via the same unix socket that other local services use. This
- api_paste_code=# means that any log line shown in these system logs that syslog or rsyslog
- api_paste_code=# maintain can be spoofed (they are exactly the same as real log lines).
- api_paste_code=#
- api_paste_code=# Since some of the features of lfd rely on such log lines, spoofed messages
- api_paste_code=# can cause false-positive matches which can lead to confusion at best, or
- api_paste_code=# blocking of any innocent IP address or making the server inaccessible at
- api_paste_code=# worst.
- api_paste_code=#
- api_paste_code=# Any option that relies on the log entries in the files listed in
- api_paste_code=# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
- api_paste_code=# vulnerable to exploitation by end-users and scripts run by end-users.
- api_paste_code=#
- api_paste_code=# NOTE: Not all log files are affected as they may not use syslog/rsyslog
- api_paste_code=#
- api_paste_code=# The option RESTRICT_SYSLOG disables all these features that rely on affected
- api_paste_code=# logs. These options are:
- api_paste_code=# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
- api_paste_code=# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
- api_paste_code=# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
- api_paste_code=# PORTKNOCKING_ALERT
- api_paste_code=#
- api_paste_code=# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
- api_paste_code=# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
- api_paste_code=#
- api_paste_code=# The following options are still enabled by default on new installations so
- api_paste_code=# that, on balance, csf/lfd still provides expected levels of security:
- api_paste_code=# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
- api_paste_code=#
- api_paste_code=# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
- api_paste_code=# above, it should be done with the knowledge that any of the those options
- api_paste_code=# that are enabled could be triggered by spoofed log lines and lead to the
- api_paste_code=# server being inaccessible in the worst case. If you do not want to take that
- api_paste_code=# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
- api_paste_code=# but you will not be protected from the exploits that they normally help block
- api_paste_code=#
- api_paste_code=# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
- api_paste_code=# the syslog/rsyslog unix socket.
- api_paste_code=#
- api_paste_code=# For further advice on how to help mitigate these issues, see
- api_paste_code=# /etc/csf/readme.txt
- api_paste_code=#
- api_paste_code=# 0 = Allow those options listed above to be used and configured
- api_paste_code=# 1 = Disable all the options listed above and prevent them from being used
- api_paste_code=# 2 = Disable only alerts about this feature and do nothing else
- api_paste_code=# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
- api_paste_code=RESTRICT_SYSLOG = "3"
- api_paste_code=
- api_paste_code=# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
- api_paste_code=# write access to the syslog/rsyslog unix socket(s). The group must not already
- api_paste_code=# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
- api_paste_code=# to a unique name for the server
- api_paste_code=#
- api_paste_code=# You can add users to this group by changing /etc/csf/csf.syslogusers and then
- api_paste_code=# restarting lfd afterwards. This will create the system group and add the
- api_paste_code=# users from csf.syslogusers if they exist to that group and will change the
- api_paste_code=# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
- api_paste_code=# monitored and the permissions re-applied should syslog/rsyslog be restarted
- api_paste_code=#
- api_paste_code=# Using this option will prevent some legitimate logging, e.g. end-user cron
- api_paste_code=# job logs
- api_paste_code=#
- api_paste_code=# If you want to revert RESTRICT_SYSLOG to another option and disable this
- api_paste_code=# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
- api_paste_code=# syslog/rsyslog and the unix sockets will be reset
- api_paste_code=RESTRICT_SYSLOG_GROUP = "mysyslog"
- api_paste_code=
- api_paste_code=# This options restricts the ability to modify settings within this file from
- api_paste_code=# the csf UI. Should the parent control panel be compromised, these restricted
- api_paste_code=# options could be used to further compromise the server. For this reason we
- api_paste_code=# recommend leaving this option set to at least "1" and if any of the
- api_paste_code=# restricted items need to be changed, they are done so from the root shell
- api_paste_code=#
- api_paste_code=# 0 = Unrestricted UI
- api_paste_code=# 1 = Restricted UI
- api_paste_code=# 2 = Disabled UI
- api_paste_code=RESTRICT_UI = "1"
- api_paste_code=
- api_paste_code=# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
- api_paste_code=# runs once per day to see if there is an update to csf lfd and upgrades if
- api_paste_code=# available and restarts csf and lfd
- api_paste_code=#
- api_paste_code=# You should check for new version announcements at http://blog.configserver.com
- api_paste_code=AUTO_UPDATES = "1"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:IPv4 Port Settings
- api_paste_code=###############################################################################
- api_paste_code=# Lists of ports in the following comma separated lists can be added using a
- api_paste_code=# colon (e.g. 30000:35000).
- api_paste_code=
- api_paste_code=# Some kernel/iptables setups do not perform stateful connection tracking
- api_paste_code=# correctly (typically some virtual servers or custom compiled kernels), so a
- api_paste_code=# SPI firewall will not function correctly. If this happens, LF_SPI can be set
- api_paste_code=# to 0 to reconfigure csf as a static firewall.
- api_paste_code=#
- api_paste_code=# As connection tracking will not be configured, applications that rely on it
- api_paste_code=# will not function unless all outgoing ports are opened. Therefore, all
- api_paste_code=# outgoing connections will be allowed once all other tests have completed. So
- api_paste_code=# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
- api_paste_code=#
- api_paste_code=# If you allow incoming DNS lookups you may need to use the following
- api_paste_code=# directive in the options{} section of your named.conf:
- api_paste_code=#
- api_paste_code=# query-source port 53;
- api_paste_code=#
- api_paste_code=# This will force incoming DNS traffic only through port 53
- api_paste_code=#
- api_paste_code=# Disabling this option will break firewall functionality that relies on
- api_paste_code=# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
- api_paste_code=# less secure
- api_paste_code=#
- api_paste_code=# This option should be set to "1" in all other circumstances
- api_paste_code=LF_SPI = "1"
- api_paste_code=
- api_paste_code=# Allow incoming TCP ports
- api_paste_code=TCP_IN = "20:22,25,53,80,110,143,443,465,587,873,953,993,995,2077:2096,2222,2525,2812,3306,5001:5209,5566,8080,8083,8443,10000,12000:12100,30000:30100,35000:35999,37210,40000:42000,59999:60300"
- api_paste_code=
- api_paste_code=# Allow outgoing TCP ports
- api_paste_code=TCP_OUT = "20:22,25,43,53,80,110,113,443,465,587,873,953,995,2077:2096,5001:5209,8080,8083,12000:12100,40000:42000"
- api_paste_code=
- api_paste_code=# Allow incoming UDP ports
- api_paste_code=UDP_IN = "20,21,53,5001:5209,12000:12100,40000:42000"
- api_paste_code=
- api_paste_code=# Allow outgoing UDP ports
- api_paste_code=# To allow outgoing traceroute add 33434:33523 to this list
- api_paste_code=UDP_OUT = "20,21,53,113,123,5001:5209,12000:12100,40000:42000"
- api_paste_code=
- api_paste_code=# Allow incoming PING. Disabling PING will likely break external uptime
- api_paste_code=# monitoring
- api_paste_code=ICMP_IN = "1"
- api_paste_code=
- api_paste_code=# Set the per IP address incoming ICMP packet rate for PING requests. This
- api_paste_code=# ratelimits PING requests which if exceeded results in silently rejected
- api_paste_code=# packets. Disable or increase this value if you are seeing PING drops that you
- api_paste_code=# do not want
- api_paste_code=#
- api_paste_code=# To disable rate limiting set to "0", otherwise set according to the iptables
- api_paste_code=# documentation for the limit module. For example, "1/s" will limit to one
- api_paste_code=# packet per second
- api_paste_code=ICMP_IN_RATE = "1/s"
- api_paste_code=
- api_paste_code=# Allow outgoing PING
- api_paste_code=#
- api_paste_code=# Unless there is a specific reason, this option should NOT be disabled as it
- api_paste_code=# could break OS functionality
- api_paste_code=ICMP_OUT = "1"
- api_paste_code=
- api_paste_code=# Set the per IP address outgoing ICMP packet rate for PING requests. This
- api_paste_code=# ratelimits PING requests which if exceeded results in silently rejected
- api_paste_code=# packets. Disable or increase this value if you are seeing PING drops that you
- api_paste_code=# do not want
- api_paste_code=#
- api_paste_code=# Unless there is a specific reason, this option should NOT be enabled as it
- api_paste_code=# could break OS functionality
- api_paste_code=#
- api_paste_code=# To disable rate limiting set to "0", otherwise set according to the iptables
- api_paste_code=# documentation for the limit module. For example, "1/s" will limit to one
- api_paste_code=# packet per second
- api_paste_code=ICMP_OUT_RATE = "0"
- api_paste_code=
- api_paste_code=# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
- api_paste_code=# should be dropped, you can enable the following option. Otherwise, there
- api_paste_code=# appears to be little evidence that it has anything to do with a security risk
- api_paste_code=# and can impact network performance, so should be left disabled by everyone
- api_paste_code=# else
- api_paste_code=ICMP_TIMESTAMPDROP = "0"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:IPv6 Port Settings
- api_paste_code=###############################################################################
- api_paste_code=# IPv6: (Requires ip6tables)
- api_paste_code=#
- api_paste_code=# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
- api_paste_code=# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
- api_paste_code=#
- api_paste_code=# Supported:
- api_paste_code=# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
- api_paste_code=# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
- api_paste_code=# SYNFLOOD, LF_NETBLOCK
- api_paste_code=#
- api_paste_code=# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
- api_paste_code=# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
- api_paste_code=# CC_ALLOW_SMTPAUTH
- api_paste_code=#
- api_paste_code=# Supported if ip6tables >= 1.4.3:
- api_paste_code=# PORTFLOOD, CONNLIMIT
- api_paste_code=#
- api_paste_code=# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
- api_paste_code=# installed:
- api_paste_code=# MESSENGER DOCKER SMTP_REDIRECT
- api_paste_code=#
- api_paste_code=# Not supported:
- api_paste_code=# ICMP_IN, ICMP_OUT
- api_paste_code=#
- api_paste_code=IPV6 = "1"
- api_paste_code=
- api_paste_code=# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
- api_paste_code=# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
- api_paste_code=# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
- api_paste_code=# connection types
- api_paste_code=IPV6_ICMP_STRICT = "0"
- api_paste_code=
- api_paste_code=# Pre v2.6.20 kernel must set this option to "0" as no working state module is
- api_paste_code=# present, so a static firewall is configured as a fallback
- api_paste_code=#
- api_paste_code=# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
- api_paste_code=# not support IPv6 connection tracking by opening ephemeral port range
- api_paste_code=# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
- api_paste_code=# same workaround implemented by RedHat in the sample default IPv6 rules
- api_paste_code=#
- api_paste_code=# As connection tracking will not be configured, applications that rely on it
- api_paste_code=# will not function unless all outgoing ports are opened. Therefore, all
- api_paste_code=# outgoing connections will be allowed once all other tests have completed. So
- api_paste_code=# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
- api_paste_code=#
- api_paste_code=# If you allow incoming ipv6 DNS lookups you may need to use the following
- api_paste_code=# directive in the options{} section of your named.conf:
- api_paste_code=#
- api_paste_code=# query-source-v6 port 53;
- api_paste_code=#
- api_paste_code=# This will force ipv6 incoming DNS traffic only through port 53
- api_paste_code=#
- api_paste_code=# These changes are not necessary if the SPI firewall is used
- api_paste_code=IPV6_SPI = "1"
- api_paste_code=
- api_paste_code=# Allow incoming IPv6 TCP ports
- api_paste_code=TCP6_IN = "20:22,25,53,80,110,143,443,465,587,873,953,993,995,2077:2096,2222,2525,2812,3306,5001:5209,5566,8080,8083,8443,10000,12000:12100,30000:30100,35000:35999,37210,40000:42000,59999:60300"
- api_paste_code=
- api_paste_code=# Allow outgoing IPv6 TCP ports
- api_paste_code=TCP6_OUT = "20:22,25,43,53,80,110,113,443,465,587,873,953,995,2077:2096,5001:5209,8080,8083,12000:12100,33434:33523,40000:42000"
- api_paste_code=
- api_paste_code=# Allow incoming IPv6 UDP ports
- api_paste_code=UDP6_IN = "20,21,53,5001:5209,12000:12100,40000:42000"
- api_paste_code=
- api_paste_code=# Allow outgoing IPv6 UDP ports
- api_paste_code=# To allow outgoing traceroute add 33434:33523 to this list
- api_paste_code=UDP6_OUT = "20,21,53,113,123,5001:5209,12000:12100,33434:33523,40000:42000"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:General Settings
- api_paste_code=###############################################################################
- api_paste_code=# By default, csf will auto-configure iptables to filter all traffic except on
- api_paste_code=# the loopback device. If you only want iptables rules applied to a specific
- api_paste_code=# NIC, then list it here (e.g. eth1, or eth )
- api_paste_code=ETH_DEVICE = "eth0"
- api_paste_code=
- api_paste_code=# By adding a device to this option, ip6tables can be configured only on the
- api_paste_code=# specified device. Otherwise, ETH_DEVICE and then the default setting will be
- api_paste_code=# used
- api_paste_code=#ETH6_DEVICE = "eth0"
- api_paste_code=
- api_paste_code=# If you don't want iptables rules applied to specific NICs, then list them in
- api_paste_code=# a comma separated list (e.g "eth1,eth2")
- api_paste_code=ETH_DEVICE_SKIP = ""
- api_paste_code=
- api_paste_code=# This option should be enabled unless the kernel does not support the
- api_paste_code=# "conntrack" module
- api_paste_code=#
- api_paste_code=# To use the deprecated iptables "state" module, change this to 0
- api_paste_code=USE_CONNTRACK = "1"
- api_paste_code=
- api_paste_code=# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34 )
- api_paste_code=# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
- api_paste_code=# This will also remove the RELATED target from the global state iptables rule
- api_paste_code=#
- api_paste_code=# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
- api_paste_code=# the raw tables do not exist. The USE_CONNTRACK option should be enabled
- api_paste_code=#
- api_paste_code=# To enable this option, set it to your FTP server listening port number
- api_paste_code=# (normally 21), do NOT set it to "1"
- api_paste_code=USE_FTPHELPER = "0"
- api_paste_code=
- api_paste_code=# Check whether syslog is running. Many of the lfd checks require syslog to be
- api_paste_code=# running correctly. This test will send a coded message to syslog every
- api_paste_code=# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
- api_paste_code=# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
- api_paste_code=# syslogalert.txt is sent
- api_paste_code=#
- api_paste_code=# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
- api_paste_code=SYSLOG_CHECK = "0"
- api_paste_code=
- api_paste_code=# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
- api_paste_code=# listed in csf.allow in addition to csf.ignore (the default). This option
- api_paste_code=# should be used with caution as it would mean that IP's allowed through the
- api_paste_code=# firewall from infected PC's could launch attacks on the server that lfd
- api_paste_code=# would ignore
- api_paste_code=IGNORE_ALLOW = "1"
- api_paste_code=
- api_paste_code=# Enable the following option if you want to apply strict iptables rules to DNS
- api_paste_code=# traffic (i.e. relying on iptables connection tracking). Enabling this option
- api_paste_code=# could cause DNS resolution issues both to and from the server but could help
- api_paste_code=# prevent abuse of the local DNS server
- api_paste_code=DNS_STRICT = "0"
- api_paste_code=
- api_paste_code=# Enable the following option if you want to apply strict iptables rules to DNS
- api_paste_code=# traffic between the server and the nameservers listed in /etc/resolv.conf
- api_paste_code=# Enabling this option could cause DNS resolution issues both to and from the
- api_paste_code=# server but could help prevent abuse of the local DNS server
- api_paste_code=DNS_STRICT_NS = "0"
- api_paste_code=
- api_paste_code=# Limit the number of IP's kept in the /etc/csf/csf.deny file
- api_paste_code=#
- api_paste_code=# Care should be taken when increasing this value on servers with low memory
- api_paste_code=# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
- api_paste_code=# thousands) can sometimes cause network slowdown
- api_paste_code=#
- api_paste_code=# The value set here is the maximum number of IPs/CIDRs allowed
- api_paste_code=# if the limit is reached, the entries will be rotated so that the oldest
- api_paste_code=# entries (i.e. the ones at the top) will be removed and the latest is added.
- api_paste_code=# The limit is only checked when using csf -d (which is what lfd also uses)
- api_paste_code=# Set to 0 to disable limiting
- api_paste_code=#
- api_paste_code=# For implementations wishing to set this value significantly higher, we
- api_paste_code=# recommend using the IPSET option
- api_paste_code=DENY_IP_LIMIT = "200"
- api_paste_code=
- api_paste_code=# Limit the number of IP's kept in the temprary IP ban list. If the limit is
- api_paste_code=# reached the oldest IP's in the ban list will be removed and allowed
- api_paste_code=# regardless of the amount of time remaining for the block
- api_paste_code=# Set to 0 to disable limiting
- api_paste_code=DENY_TEMP_IP_LIMIT = "100"
- api_paste_code=
- api_paste_code=# Enable login failure detection daemon (lfd). If set to 0 none of the
- api_paste_code=# following settings will have any effect as the daemon won't start.
- api_paste_code=LF_DAEMON = "1"
- api_paste_code=
- api_paste_code=# Check whether csf appears to have been stopped and restart if necessary,
- api_paste_code=# unless TESTING is enabled above. The check is done every 300 seconds
- api_paste_code=LF_CSF = "1"
- api_paste_code=
- api_paste_code=# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
- api_paste_code=# IP6TABLES_RESTORE in two ways:
- api_paste_code=#
- api_paste_code=# 1. On a clean server reboot the entire csf iptables configuration is saved
- api_paste_code=# and then restored where possible to provide a near instant firewall
- api_paste_code=# startup[*]
- api_paste_code=#
- api_paste_code=# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
- api_paste_code=# BOGON, TOR are loaded using this method in a fraction of the time than if
- api_paste_code=# this setting is disabled
- api_paste_code=#
- api_paste_code=# [*]Not supported on all OS platforms
- api_paste_code=#
- api_paste_code=# Set to "0" to disable this functionality
- api_paste_code=FASTSTART = "1"
- api_paste_code=
- api_paste_code=# This option allows you to use ipset v6 for the following csf options:
- api_paste_code=# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
- api_paste_code=# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
- api_paste_code=#
- api_paste_code=# ipset will only be used with the above options when listing IPs and CIDRs.
- api_paste_code=# Advanced Allow Filters and temporary blocks use traditional iptables
- api_paste_code=#
- api_paste_code=# Using ipset moves the onus of ip matching against large lists away from
- api_paste_code=# iptables rules and to a purpose built and optimised database matching
- api_paste_code=# utility. It also simplifies the switching in of updated lists
- api_paste_code=#
- api_paste_code=# To use this option you must have a fully functioning installation of ipset
- api_paste_code=# installed either via rpm or source from http://ipset.netfilter.org/
- api_paste_code=#
- api_paste_code=# Note: Using ipset has many advantages, some disadvantages are that you will
- api_paste_code=# no longer see packet and byte counts against IPs and it makes identifying
- api_paste_code=# blocked/allowed IPs that little bit harder
- api_paste_code=#
- api_paste_code=# Note: If you mainly use IP address only entries in csf.deny, you can increase
- api_paste_code=# the value of DENY_IP_LIMIT significantly if you wish
- api_paste_code=#
- api_paste_code=# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
- api_paste_code=# containers even if it has been installed
- api_paste_code=#
- api_paste_code=# If you find any problems, please post on forums.configserver.com with full
- api_paste_code=# details of the issue
- api_paste_code=LF_IPSET = "1"
- api_paste_code=
- api_paste_code=# Versions of iptables greater or equal to v1.4.20 should support the --wait
- api_paste_code=# option. This forces iptables commands that use the option to wait until a
- api_paste_code=# lock by any other process using iptables completes, rather than simply
- api_paste_code=# failing
- api_paste_code=#
- api_paste_code=# Enabling this feature will add the --wait option to iptables commands
- api_paste_code=#
- api_paste_code=# NOTE: The disadvantage of using this option is that any iptables command that
- api_paste_code=# uses it will hang until the lock is released. This could cause a cascade of
- api_paste_code=# hung processes trying to issue iptables commands. To try and avoid this issue
- api_paste_code=# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
- api_paste_code=# a failure if reached
- api_paste_code=WAITLOCK = "1"
- api_paste_code=WAITLOCK_TIMEOUT = "300"
- api_paste_code=
- api_paste_code=# The following sets the hashsize for ipset sets, which must be a power of 2.
- api_paste_code=#
- api_paste_code=# Note: Increasing this value will consume more memory for all sets
- api_paste_code=# Default: "1024"
- api_paste_code=LF_IPSET_HASHSIZE = "1024"
- api_paste_code=
- api_paste_code=# The following sets the maxelem for ipset sets.
- api_paste_code=#
- api_paste_code=# Note: Increasing this value will consume more memory for all sets
- api_paste_code=# Default: "65536"
- api_paste_code=LF_IPSET_MAXELEM = "65536"
- api_paste_code=
- api_paste_code=# If you enable this option then whenever a CLI request to restart csf is used
- api_paste_code=# lfd will restart csf instead within LF_PARSE seconds
- api_paste_code=#
- api_paste_code=# This feature can be helpful for restarting configurations that cannot use
- api_paste_code=# FASTSTART
- api_paste_code=LFDSTART = "0"
- api_paste_code=
- api_paste_code=# Enable verbose output of iptables commands
- api_paste_code=VERBOSE = "1"
- api_paste_code=
- api_paste_code=# Drop out of order packets and packets in an INVALID state in iptables
- api_paste_code=# connection tracking
- api_paste_code=PACKET_FILTER = "1"
- api_paste_code=
- api_paste_code=# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
- api_paste_code=LF_LOOKUPS = "1"
- api_paste_code=
- api_paste_code=# Custom styling is possible in the csf UI. See the readme.txt for more
- api_paste_code=# information under "UI skinning and Mobile View"
- api_paste_code=#
- api_paste_code=# This option enables the use of custom styling. If the styling fails to work
- api_paste_code=# correctly, e.g. custom styling does not take into account a change in the
- api_paste_code=# standard csf UI, then disabling this option will return the standard UI
- api_paste_code=STYLE_CUSTOM = "0"
- api_paste_code=
- api_paste_code=# This option disables the presence of the Mobile View in the csf UI
- api_paste_code=STYLE_MOBILE = "1"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:SMTP Settings
- api_paste_code=###############################################################################
- api_paste_code=# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
- api_paste_code=# to use the exim/sendmail binary instead of sockets access). This replaces the
- api_paste_code=# protection as WHM > Tweak Settings > SMTP Tweaks
- api_paste_code=#
- api_paste_code=# This option uses the iptables ipt_owner/xt_owner module and must be loaded
- api_paste_code=# for it to work. It may not be available on some VPS platforms
- api_paste_code=#
- api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
- api_paste_code=# this server
- api_paste_code=SMTP_BLOCK = "0"
- api_paste_code=
- api_paste_code=# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
- api_paste_code=# on the server (e.g. for webmail or web scripts) then enable this option to
- api_paste_code=# allow outgoing SMTP connections to the loopback device
- api_paste_code=SMTP_ALLOWLOCAL = "1"
- api_paste_code=
- api_paste_code=# This option redirects outgoing SMTP connections destined for remote servers
- api_paste_code=# for non-bypass users to the local SMTP server to force local relaying of
- api_paste_code=# email. Such email may require authentication (SMTP AUTH)
- api_paste_code=SMTP_REDIRECT = "0"
- api_paste_code=
- api_paste_code=# This is a comma separated list of the ports to block. You should list all
- api_paste_code=# ports that exim is configured to listen on
- api_paste_code=SMTP_PORTS = "25,465,587"
- api_paste_code=
- api_paste_code=# Always allow the following comma separated users and groups to bypass
- api_paste_code=# SMTP_BLOCK
- api_paste_code=#
- api_paste_code=# Note: root (UID:0) is always allowed
- api_paste_code=SMTP_ALLOWUSER = ""
- api_paste_code=SMTP_ALLOWGROUP = "admin,mail,mailman"
- api_paste_code=
- api_paste_code=# This option will only allow SMTP AUTH to be advertised to the IP addresses
- api_paste_code=# listed in /etc/csf/csf.smtpauth on EXIM mail servers
- api_paste_code=#
- api_paste_code=# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
- api_paste_code=# additionally restrict access to specific countries
- api_paste_code=#
- api_paste_code=# This is to help limit attempts at distributed attacks against SMTP AUTH which
- api_paste_code=# are difficult to achive since port 25 needs to be open to relay email
- api_paste_code=#
- api_paste_code=# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
- api_paste_code=# connection, then SMTP AUTH will not accept logins, defeating the attacks
- api_paste_code=# without restricting mail relaying
- api_paste_code=#
- api_paste_code=# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
- api_paste_code=# that the lookup file in /etc/exim.smtpauth is regenerated from the
- api_paste_code=# information from /etc/csf/csf.smtpauth plus any countries listed in
- api_paste_code=# CC_ALLOW_SMTPAUTH
- api_paste_code=#
- api_paste_code=# NOTE: To make this option work you MUST make the modifications to exim.conf
- api_paste_code=# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
- api_paste_code=# after enabling the option here, otherwise this option will not work
- api_paste_code=#
- api_paste_code=# To enable this option, set to 1 and make the exim configuration changes
- api_paste_code=# To disable this option, set to 0 and undo the exim configuration changes
- api_paste_code=SMTPAUTH_RESTRICT = "0"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Port Flood Settings
- api_paste_code=###############################################################################
- api_paste_code=# Enable SYN Flood Protection. This option configures iptables to offer some
- api_paste_code=# protection from tcp SYN packet DOS attempts. You should set the RATE so that
- api_paste_code=# false-positives are kept to a minimum otherwise visitors may see connection
- api_paste_code=# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
- api_paste_code=# man page for the correct --limit rate syntax
- api_paste_code=#
- api_paste_code=# Note: This option should ONLY be enabled if you know you are under a SYN
- api_paste_code=# flood attack as it will slow down all new connections from any IP address to
- api_paste_code=# the server if triggered
- api_paste_code=SYNFLOOD = "0"
- api_paste_code=SYNFLOOD_RATE = "100/s"
- api_paste_code=SYNFLOOD_BURST = "150"
- api_paste_code=
- api_paste_code=# Connection Limit Protection. This option configures iptables to offer more
- api_paste_code=# protection from DOS attacks against specific ports. It can also be used as a
- api_paste_code=# way to simply limit resource usage by IP address to specific server services.
- api_paste_code=# This option limits the number of concurrent new connections per IP address
- api_paste_code=# that can be made to specific ports
- api_paste_code=#
- api_paste_code=# This feature does not work on servers that do not have the iptables module
- api_paste_code=# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
- api_paste_code=# server admins should check with their VPS host provider that the iptables
- api_paste_code=# module is included
- api_paste_code=#
- api_paste_code=# For further information and syntax refer to the Connection Limit Protection
- api_paste_code=# section of the csf readme.txt
- api_paste_code=#
- api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
- api_paste_code=# this server
- api_paste_code=CONNLIMIT = ""
- api_paste_code=
- api_paste_code=# Port Flood Protection. This option configures iptables to offer protection
- api_paste_code=# from DOS attacks against specific ports. This option limits the number of
- api_paste_code=# new connections per time interval that can be made to specific ports
- api_paste_code=#
- api_paste_code=# This feature does not work on servers that do not have the iptables module
- api_paste_code=# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
- api_paste_code=# server admins should check with their VPS host provider that the iptables
- api_paste_code=# module is included
- api_paste_code=#
- api_paste_code=# For further information and syntax refer to the Port Flood Protection
- api_paste_code=# section of the csf readme.txt
- api_paste_code=#
- api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
- api_paste_code=# this server
- api_paste_code=PORTFLOOD = ""
- api_paste_code=# PORTFLOOD = "21;tcp;10;60,53;tcp;10;60,80;tcp;10;60,443;tcp;10;60"
- api_paste_code=
- api_paste_code=
- api_paste_code=# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
- api_paste_code=# These typically originate from exploit scripts uploaded through vulnerable
- api_paste_code=# web scripts. Care should be taken on servers that use services that utilise
- api_paste_code=# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
- api_paste_code=# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
- api_paste_code=#
- api_paste_code=# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
- api_paste_code=UDPFLOOD = "0"
- api_paste_code=UDPFLOOD_LIMIT = "100/s"
- api_paste_code=UDPFLOOD_BURST = "500"
- api_paste_code=
- api_paste_code=# This is a list of usernames that should not be rate limited, such as "named"
- api_paste_code=# to prevent bind traffic from being limited.
- api_paste_code=#
- api_paste_code=# Note: root (UID:0) is always allowed
- api_paste_code=UDPFLOOD_ALLOWUSER = "named"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Logging Settings
- api_paste_code=###############################################################################
- api_paste_code=# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
- api_paste_code=# perl module Sys::Syslog installed to use this feature
- api_paste_code=SYSLOG = "0"
- api_paste_code=
- api_paste_code=# Drop target for incoming iptables rules. This can be set to either DROP or
- api_paste_code=# REJECT. REJECT will send back an error packet, DROP will not respond at all.
- api_paste_code=# REJECT is more polite, however it does provide extra information to a hacker
- api_paste_code=# and lets them know that a firewall is blocking their attempts. DROP hangs
- api_paste_code=# their connection, thereby frustrating attempts to port scan the server
- api_paste_code=DROP = "DROP"
- api_paste_code=
- api_paste_code=# Drop target for outgoing iptables rules. This can be set to either DROP or
- api_paste_code=# REJECT as with DROP, however as such connections are from this server it is
- api_paste_code=# better to REJECT connections to closed ports rather than to DROP them. This
- api_paste_code=# helps to immediately free up server resources rather than tying them up until
- api_paste_code=# a connection times out. It also tells the process making the connection that
- api_paste_code=# it has immediately failed
- api_paste_code=#
- api_paste_code=# It is possible that some monolithic kernels may not support the REJECT
- api_paste_code=# target. If this is the case, csf checks before using REJECT and falls back to
- api_paste_code=# using DROP, issuing a warning to set this to DROP instead
- api_paste_code=DROP_OUT = "REJECT"
- api_paste_code=
- api_paste_code=# Enable logging of dropped connections to blocked ports to syslog, usually
- api_paste_code=# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
- api_paste_code=DROP_LOGGING = "1"
- api_paste_code=
- api_paste_code=# Enable logging of dropped incoming connections from blocked IP addresses
- api_paste_code=#
- api_paste_code=# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
- api_paste_code=DROP_IP_LOGGING = "0"
- api_paste_code=
- api_paste_code=# Enable logging of dropped outgoing connections
- api_paste_code=#
- api_paste_code=# Note: Only outgoing SYN packets for TCP connections are logged, other
- api_paste_code=# protocols log all packets
- api_paste_code=#
- api_paste_code=# We recommend that you enable this option
- api_paste_code=DROP_OUT_LOGGING = "1"
- api_paste_code=
- api_paste_code=# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
- api_paste_code=# out (where available) which can help track abuse
- api_paste_code=DROP_UID_LOGGING = "1"
- api_paste_code=
- api_paste_code=# Only log incoming reserved port dropped connections (0:1023). This can reduce
- api_paste_code=# the amount of log noise from dropped connections, but will affect options
- api_paste_code=# such as Port Scan Tracking (PS_INTERVAL)
- api_paste_code=DROP_ONLYRES = "0"
- api_paste_code=
- api_paste_code=# Commonly blocked ports that you do not want logging as they tend to just fill
- api_paste_code=# up the log file. These ports are specifically blocked (applied to TCP and UDP
- api_paste_code=# protocols) for incoming connections
- api_paste_code=DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
- api_paste_code=
- api_paste_code=# Log packets dropped by the packet filtering option PACKET_FILTER
- api_paste_code=DROP_PF_LOGGING = "0"
- api_paste_code=
- api_paste_code=# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
- api_paste_code=# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
- api_paste_code=# addresses breaking the Connection Limit Protection will be blocked
- api_paste_code=CONNLIMIT_LOGGING = "0"
- api_paste_code=
- api_paste_code=# Enable logging of UDP floods. This should be enabled, especially with User ID
- api_paste_code=# Tracking enabled
- api_paste_code=UDPFLOOD_LOGGING = "1"
- api_paste_code=
- api_paste_code=# Send an alert if log file flooding is detected which causes lfd to skip log
- api_paste_code=# lines to prevent lfd from looping. If this alert is sent you should check the
- api_paste_code=# reported log file for the reason for the flooding
- api_paste_code=LOGFLOOD_ALERT = "0"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Reporting Settings
- api_paste_code=###############################################################################
- api_paste_code=# By default, lfd will send alert emails using the relevant alert template to
- api_paste_code=# the To: address configured within that template. Setting the following
- api_paste_code=# option will override the configured To: field in all lfd alert emails
- api_paste_code=#
- api_paste_code=# Leave this option empty to use the To: field setting in each alert template
- api_paste_code=LF_ALERT_TO = "admin@edu.ryukyu"
- api_paste_code=
- api_paste_code=# By default, lfd will send alert emails using the relevant alert template from
- api_paste_code=# the From: address configured within that template. Setting the following
- api_paste_code=# option will override the configured From: field in all lfd alert emails
- api_paste_code=#
- api_paste_code=# Leave this option empty to use the From: field setting in each alert template
- api_paste_code=LF_ALERT_FROM = "csf@localhost"
- api_paste_code=
- api_paste_code=# By default, lfd will send all alerts using the SENDMAIL binary. To send using
- api_paste_code=# SMTP directly, you can set the following to a relaying SMTP server, e.g.
- api_paste_code=# "127.0.0.1". Leave this setting blank to use SENDMAIL
- api_paste_code=LF_ALERT_SMTP = ""
- api_paste_code=
- api_paste_code=# Block Reporting. lfd can run an external script when it performs and IP
- api_paste_code=# address block following for example a login failure. The following setting
- api_paste_code=# is to the full path of the external script which must be executable. See
- api_paste_code=# readme.txt for format details
- api_paste_code=#
- api_paste_code=# Leave this setting blank to disable
- api_paste_code=BLOCK_REPORT = ""
- api_paste_code=
- api_paste_code=# To also run an external script when a temporary block is unblocked. The
- api_paste_code=# following setting can be the full path of the external script which must be
- api_paste_code=# executable. See readme.txt for format details
- api_paste_code=#
- api_paste_code=# Leave this setting blank to disable
- api_paste_code=UNBLOCK_REPORT = ""
- api_paste_code=
- api_paste_code=# In addition to the standard lfd email alerts, you can additionally enable the
- api_paste_code=# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only
- api_paste_code=# block alert messages will be sent. The reports use our schema at:
- api_paste_code=# https://download.configserver.com/abuse_login-attack_0.2.json
- api_paste_code=#
- api_paste_code=# These reports are in a format accepted by many Netblock owners and should
- api_paste_code=# help them investigate abuse. This option is not designed to automatically
- api_paste_code=# forward these reports to the Netblock owners and should be checked for
- api_paste_code=# false-positive blocks before reporting
- api_paste_code=#
- api_paste_code=# If available, the report will also include the abuse contact for the IP from
- api_paste_code=# the Abusix Contact DB: https://abusix.com/contactdb.html
- api_paste_code=#
- api_paste_code=# Note: The following block types are not reported through this feature:
- api_paste_code=# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
- api_paste_code=X_ARF = "0"
- api_paste_code=
- api_paste_code=# By default, lfd will send emails from the root forwarder. Setting the
- api_paste_code=# following option will override this
- api_paste_code=X_ARF_FROM = ""
- api_paste_code=
- api_paste_code=# By default, lfd will send emails to the root forwarder. Setting the following
- api_paste_code=# option will override this
- api_paste_code=X_ARF_TO = ""
- api_paste_code=
- api_paste_code=# If you want to automatically send reports to the abuse contact where found,
- api_paste_code=# you can enable the following option
- api_paste_code=#
- api_paste_code=# Note: You MUST set X_ARF_FROM to a valid email address for this option to
- api_paste_code=# work. This is so that the abuse contact can reply to the report
- api_paste_code=#
- api_paste_code=# However, you should be aware that without manual checking you could be
- api_paste_code=# reporting innocent IP addresses, including your own clients, yourself and
- api_paste_code=# your own servers
- api_paste_code=#
- api_paste_code=# Additionally, just because a contact address is found, does not mean that
- api_paste_code=# there is anyone on the end of it reading, processing or acting on such
- api_paste_code=# reports and you could conceivably reported for sending spam
- api_paste_code=#
- api_paste_code=# We do not recommend enabling this option. Abuse reports should be checked and
- api_paste_code=# verified before being forwarded to the abuse contact
- api_paste_code=X_ARF_ABUSE = "0"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Temp to Perm/Netblock Settings
- api_paste_code=###############################################################################
- api_paste_code=# Temporary to Permanent IP blocking. The following enables this feature to
- api_paste_code=# permanently block IP addresses that have been temporarily blocked more than
- api_paste_code=# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
- api_paste_code=# LF_PERMBLOCK to "1" to enable this feature
- api_paste_code=#
- api_paste_code=# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
- api_paste_code=# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
- api_paste_code=# (TTL) for blocked IPs, to be effective
- api_paste_code=#
- api_paste_code=# Set LF_PERMBLOCK to "0" to disable this feature
- api_paste_code=LF_PERMBLOCK = "1"
- api_paste_code=LF_PERMBLOCK_INTERVAL = "86400"
- api_paste_code=LF_PERMBLOCK_COUNT = "4"
- api_paste_code=LF_PERMBLOCK_ALERT = "1"
- api_paste_code=
- api_paste_code=# Permanently block IPs by network class. The following enables this feature
- api_paste_code=# to permanently block classes of IP address where individual IP addresses
- api_paste_code=# within the same class LF_NETBLOCK_CLASS have already been blocked more than
- api_paste_code=# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
- api_paste_code=# LF_NETBLOCK to "1" to enable this feature
- api_paste_code=#
- api_paste_code=# This can be an affective way of blocking DDOS attacks launched from within
- api_paste_code=# the same network class
- api_paste_code=#
- api_paste_code=# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
- api_paste_code=# consideration is required when blocking network classes A or B
- api_paste_code=#
- api_paste_code=# Set LF_NETBLOCK to "0" to disable this feature
- api_paste_code=LF_NETBLOCK = "0"
- api_paste_code=LF_NETBLOCK_INTERVAL = "86400"
- api_paste_code=LF_NETBLOCK_COUNT = "4"
- api_paste_code=LF_NETBLOCK_CLASS = "C"
- api_paste_code=LF_NETBLOCK_ALERT = "1"
- api_paste_code=
- api_paste_code=# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
- api_paste_code=# Great care should be taken with IPV6 netblock ranges due to the large number
- api_paste_code=# of addresses involved
- api_paste_code=#
- api_paste_code=# To disable IPv6 netblocks set to ""
- api_paste_code=LF_NETBLOCK_IPV6 = ""
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Global Lists/DYNDNS/Blocklists
- api_paste_code=###############################################################################
- api_paste_code=# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
- api_paste_code=# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
- api_paste_code=# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
- api_paste_code=# chain, then flush and delete the old dynamic chain and rename the new chain.
- api_paste_code=#
- api_paste_code=# This prevents a small window of opportunity opening when an update occurs and
- api_paste_code=# the dynamic chain is flushed for the new rules.
- api_paste_code=#
- api_paste_code=# This option should not be enabled on servers with long dynamic chains (e.g.
- api_paste_code=# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
- api_paste_code=# Virtuozzo VPS servers with a restricted numiptent value. This is because each
- api_paste_code=# chain will effectively be duplicated while the update occurs, doubling the
- api_paste_code=# number of iptables rules
- api_paste_code=SAFECHAINUPDATE = "0"
- api_paste_code=
- api_paste_code=# If you wish to allow access from dynamic DNS records (for example if your IP
- api_paste_code=# address changes whenever you connect to the internet but you have a dedicated
- api_paste_code=# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
- api_paste_code=# records in csf.dyndns and then set the following to the number of seconds to
- api_paste_code=# poll for a change in the IP address. If the IP address has changed iptables
- api_paste_code=# will be updated.
- api_paste_code=#
- api_paste_code=# If the FQDN has multiple A records then all of the IP addresses will be
- api_paste_code=# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
- api_paste_code=# also be allowed.
- api_paste_code=#
- api_paste_code=# A setting of 600 would check for IP updates every 10 minutes. Set the value
- api_paste_code=# to 0 to disable the feature
- api_paste_code=DYNDNS = "0"
- api_paste_code=
- api_paste_code=# To always ignore DYNDNS IP addresses in lfd blocking, set the following
- api_paste_code=# option to 1
- api_paste_code=DYNDNS_IGNORE = "0"
- api_paste_code=
- api_paste_code=# The follow Global options allow you to specify a URL where csf can grab a
- api_paste_code=# centralised copy of an IP allow or deny block list of your own. You need to
- api_paste_code=# specify the full URL in the following options, i.e.:
- api_paste_code=# http://www.somelocation.com/allow.txt
- api_paste_code=#
- api_paste_code=# The actual retrieval of these IP's is controlled by lfd, so you need to set
- api_paste_code=# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
- api_paste_code=# will perform the retrieval when it runs and then again at the specified
- api_paste_code=# interval. A sensible interval would probably be every 3600 seconds (1 hour).
- api_paste_code=# A minimum value of 300 is enforced for LF_GLOBAL if enabled
- api_paste_code=#
- api_paste_code=# You do not have to specify both an allow and a deny file
- api_paste_code=#
- api_paste_code=# You can also configure a global ignore file for IP's that lfd should ignore
- api_paste_code=LF_GLOBAL = "0"
- api_paste_code=
- api_paste_code=GLOBAL_ALLOW = ""
- api_paste_code=GLOBAL_DENY = ""
- api_paste_code=GLOBAL_IGNORE = ""
- api_paste_code=
- api_paste_code=# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
- api_paste_code=# this to the URL of the file containing DYNDNS entries
- api_paste_code=GLOBAL_DYNDNS = ""
- api_paste_code=
- api_paste_code=# Set the following to the number of seconds to poll for a change in the IP
- api_paste_code=# address resoved from GLOBAL_DYNDNS
- api_paste_code=GLOBAL_DYNDNS_INTERVAL = "600"
- api_paste_code=
- api_paste_code=# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
- api_paste_code=# option to 1
- api_paste_code=GLOBAL_DYNDNS_IGNORE = "0"
- api_paste_code=
- api_paste_code=# Blocklists are controlled by modifying /etc/csf/csf.blocklists
- api_paste_code=#
- api_paste_code=# If you don't want BOGON rules applied to specific NICs, then list them in
- api_paste_code=# a comma separated list (e.g "eth1,eth2")
- api_paste_code=LF_BOGON_SKIP = ""
- api_paste_code=
- api_paste_code=# The following option can be used to select either HTTP::Tiny or
- api_paste_code=# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
- api_paste_code=# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
- api_paste_code=# have to be installed manually, but it can better support https:// URL's
- api_paste_code=# which also needs the LWP::Protocol::https perl module
- api_paste_code=#
- api_paste_code=# For example:
- api_paste_code=#
- api_paste_code=# On rpm based systems:
- api_paste_code=#
- api_paste_code=# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
- api_paste_code=#
- api_paste_code=# On APT based systems:
- api_paste_code=#
- api_paste_code=# apt-get install libwww-perl liblwp-protocol-https-perl
- api_paste_code=#
- api_paste_code=# Via cpan:
- api_paste_code=#
- api_paste_code=# perl -MCPAN -eshell
- api_paste_code=# cpan> install LWP LWP::Protocol::https
- api_paste_code=#
- api_paste_code=# We recommend setting this set to "2" as upgrades to csf will be performed
- api_paste_code=# over SSL to https://download.configserver.com and
- api_paste_code=# https://download2.configserver.com
- api_paste_code=#
- api_paste_code=# "1" = HTTP::Tiny
- api_paste_code=# "2" = LWP::UserAgent
- api_paste_code=URLGET = "2"
- api_paste_code=
- api_paste_code=# If you need csf/lfd to use a proxy, then you can set this option to the URL
- api_paste_code=# of the proxy. The proxy provided will be used for both HTTP and HTTPS
- api_paste_code=# connections
- api_paste_code=URLPROXY = ""
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Country Code Lists and Settings
- api_paste_code=###############################################################################
- api_paste_code=# Country Code to CIDR allow/deny. In the following two options you can allow
- api_paste_code=# or deny whole country CIDR ranges. The CIDR blocks are generated from the
- api_paste_code=# MaxMind GeoLite2 Country database at:
- api_paste_code=# https://dev.MaxMind.com/geoip/geoip2/geolite2/
- api_paste_code=# This feature relies entirely on that service being available
- api_paste_code=#
- api_paste_code=# Specify the the two-letter ISO Country Code(s). The iptables rules are for
- api_paste_code=# incoming connections only
- api_paste_code=#
- api_paste_code=# Additionally, ASN numbers can also be added to the comma separated lists
- api_paste_code=# below that also list Country Codes. The same WARNINGS for Country Codes apply
- api_paste_code=# to the use of ASNs. More about Autonomous System Numbers (ASN):
- api_paste_code=# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
- api_paste_code=# ASNs must be listed as ASnnnn (where nnnn is the ASN number)
- api_paste_code=#
- api_paste_code=# You should consider using LF_IPSET when using any of the following options
- api_paste_code=#
- api_paste_code=# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
- api_paste_code=# non-geographic IP address designations for their clients
- api_paste_code=#
- api_paste_code=# WARNING: Some of the CIDR lists are huge and each one requires a rule within
- api_paste_code=# the incoming iptables chain. This can result in significant performance
- api_paste_code=# overheads and could render the server inaccessible in some circumstances. For
- api_paste_code=# this reason (amongst others) we do not recommend using these options
- api_paste_code=#
- api_paste_code=# WARNING: Due to the resource constraints on VPS servers this feature should
- api_paste_code=# not be used on such systems unless you choose very small CC zones
- api_paste_code=#
- api_paste_code=# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
- api_paste_code=# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
- api_paste_code=# preferred
- api_paste_code=#
- api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
- api_paste_code=CC_DENY = ""
- api_paste_code=CC_ALLOW = ""
- api_paste_code=
- api_paste_code=# An alternative to CC_ALLOW is to only allow access from the following
- api_paste_code=# countries but still filter based on the port and packets rules. All other
- api_paste_code=# connections are dropped
- api_paste_code=CC_ALLOW_FILTER = ""
- api_paste_code=
- api_paste_code=# This option allows access from the following countries to specific ports
- api_paste_code=# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
- api_paste_code=#
- api_paste_code=# Note: The rules for this feature are inserted after the allow and deny
- api_paste_code=# rules to still allow blocking of IP addresses
- api_paste_code=#
- api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
- api_paste_code=CC_ALLOW_PORTS = ""
- api_paste_code=
- api_paste_code=# All listed ports should be removed from TCP_IN/UDP_IN to block access from
- api_paste_code=# elsewhere. This option uses the same format as TCP_IN/UDP_IN
- api_paste_code=#
- api_paste_code=# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
- api_paste_code=# then only counties listed in CC_ALLOW_PORTS can access FTP
- api_paste_code=CC_ALLOW_PORTS_TCP = ""
- api_paste_code=CC_ALLOW_PORTS_UDP = ""
- api_paste_code=
- api_paste_code=# This option denies access from the following countries to specific ports
- api_paste_code=# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
- api_paste_code=#
- api_paste_code=# Note: The rules for this feature are inserted after the allow and deny
- api_paste_code=# rules to still allow allowing of IP addresses
- api_paste_code=#
- api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
- api_paste_code=CC_DENY_PORTS = ""
- api_paste_code=
- api_paste_code=# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
- api_paste_code=# NOT be removed from TCP_IN/UDP_IN
- api_paste_code=#
- api_paste_code=# An example would be to list port 21 here then counties listed in
- api_paste_code=# CC_DENY_PORTS cannot access FTP
- api_paste_code=CC_DENY_PORTS_TCP = ""
- api_paste_code=CC_DENY_PORTS_UDP = ""
- api_paste_code=
- api_paste_code=# This Country Code list will prevent lfd from blocking IP address hits for the
- api_paste_code=# listed CC's
- api_paste_code=#
- api_paste_code=# CC_LOOKUPS must be enabled to use this option
- api_paste_code=CC_IGNORE = ""
- api_paste_code=
- api_paste_code=# This Country Code list will only allow SMTP AUTH to be advertised to the
- api_paste_code=# listed countries in EXIM. This is to help limit attempts at distributed
- api_paste_code=# attacks against SMTP AUTH which are difficult to achive since port 25 needs
- api_paste_code=# to be open to relay email
- api_paste_code=#
- api_paste_code=# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
- api_paste_code=# connection, then SMTP AUTH will not accept logins, defeating the attacks
- api_paste_code=# without restricting mail relaying
- api_paste_code=#
- api_paste_code=# This option can generate a very large list of IP addresses that could easily
- api_paste_code=# severely impact on SMTP (mail) performance, so care must be taken when
- api_paste_code=# selecting countries and if performance issues ensue
- api_paste_code=#
- api_paste_code=# The option SMTPAUTH_RESTRICT must be enabled to use this option
- api_paste_code=CC_ALLOW_SMTPAUTH = ""
- api_paste_code=
- api_paste_code=# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
- api_paste_code=# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
- api_paste_code=# help reduce the number of CC entries and may improve iptables throughput.
- api_paste_code=# Obviously, this will deny/allow fewer IP addresses depending on how small you
- api_paste_code=# configure the option
- api_paste_code=#
- api_paste_code=# For example, to ignore all CIDR (and single IP) entries small than a /16, set
- api_paste_code=# this option to "16". Set to "" to block all CC IP addresses
- api_paste_code=CC_DROP_CIDR = ""
- api_paste_code=
- api_paste_code=# Display Country Code and Country for reported IP addresses. This option can
- api_paste_code=# be configured to use the MaxMind Country Database or the more detailed (and
- api_paste_code=# much larger and therefore slower) MaxMind City Database. An additional option
- api_paste_code=# is also available if you cannot use the MaxMind databases
- api_paste_code=#
- api_paste_code=# "0" - disable
- api_paste_code=# "1" - Reports: Country Code and Country
- api_paste_code=# "2" - Reports: Country Code and Country and Region and City
- api_paste_code=# "3" - Reports: Country Code and Country and Region and City and ASN
- api_paste_code=# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
- api_paste_code=#
- api_paste_code=# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
- api_paste_code=# uses a URL-based lookup from a third-party provider at https://freegeoip.net
- api_paste_code=# and so avoids having to download and process the large databases. Please
- api_paste_code=# visit the https://freegeoip.net and read their limitations and respect that
- api_paste_code=# this option will either cease to function or be removed by us if that site is
- api_paste_code=# abused or overloaded. ONLY use this option if you have difficulties using the
- api_paste_code=# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
- api_paste_code=# CC_* options above, which will continue to use the MaxMind databases
- api_paste_code=#
- api_paste_code=CC_LOOKUPS = "1"
- api_paste_code=
- api_paste_code=# Display Country Code and Country for reported IPv6 addresses using the
- api_paste_code=# MaxMind Country IPv6 Database
- api_paste_code=#
- api_paste_code=# "0" - disable
- api_paste_code=# "1" - enable and report the detail level as specified in CC_LOOKUPS
- api_paste_code=#
- api_paste_code=# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
- api_paste_code=# PORTFLOOD
- api_paste_code=CC6_LOOKUPS = "0"
- api_paste_code=
- api_paste_code=# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
- api_paste_code=# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
- api_paste_code=# days)
- api_paste_code=CC_INTERVAL = "14"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Login Failure Blocking and Alerts
- api_paste_code=###############################################################################
- api_paste_code=# The following[*] triggers are application specific. If you set LF_TRIGGER to
- api_paste_code=# "0" the value of each trigger is the number of failures against that
- api_paste_code=# application that will trigger lfd to block the IP address
- api_paste_code=#
- api_paste_code=# If you set LF_TRIGGER to a value greater than "0" then the following[*]
- api_paste_code=# application triggers are simply on or off ("0" or "1") and the value of
- api_paste_code=# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
- api_paste_code=# to block the IP address
- api_paste_code=#
- api_paste_code=# Setting the application trigger to "0" disables it
- api_paste_code=LF_TRIGGER = "0"
- api_paste_code=
- api_paste_code=# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
- api_paste_code=# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
- api_paste_code=# "1" and the IP address will be blocked temporarily for that value in seconds.
- api_paste_code=# For example:
- api_paste_code=# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
- api_paste_code=# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
- api_paste_code=#
- api_paste_code=# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
- api_paste_code=# in the same way as above and LF_TRIGGER_PERM serves no function
- api_paste_code=LF_TRIGGER_PERM = "1"
- api_paste_code=
- api_paste_code=# To only block access to the failed application instead of a complete block
- api_paste_code=# for an ip address, you can set the following to "1", but LF_TRIGGER must be
- api_paste_code=# set to "0" with specific application[*] trigger levels also set appropriately
- api_paste_code=#
- api_paste_code=# The ports that are blocked can be configured by changing the PORTS_* options
- api_paste_code=LF_SELECT = "0"
- api_paste_code=
- api_paste_code=# Send an email alert if an IP address is blocked by one of the [*] triggers
- api_paste_code=LF_EMAIL_ALERT = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of sshd connections
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_SSHD = "5"
- api_paste_code=LF_SSHD_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of ftp connections
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_FTPD = "10"
- api_paste_code=LF_FTPD_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of SMTP AUTH connections
- api_paste_code=LF_SMTPAUTH = "5"
- api_paste_code=LF_SMTPAUTH_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable syntax failure detection of Exim connections
- api_paste_code=LF_EXIMSYNTAX = "10"
- api_paste_code=LF_EXIMSYNTAX_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of pop3 connections
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_POP3D = "0"
- api_paste_code=LF_POP3D_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of imap connections
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_IMAPD = "0"
- api_paste_code=LF_IMAPD_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of Apache .htpasswd connections
- api_paste_code=# Due to the often high logging rate in the Apache error log, you might want to
- api_paste_code=# enable this option only if you know you are suffering from attacks against
- api_paste_code=# password protected directories
- api_paste_code=LF_HTACCESS = "5"
- api_paste_code=LF_HTACCESS_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable failure detection of repeated Apache mod_security rule triggers
- api_paste_code=LF_MODSEC = "5"
- api_paste_code=LF_MODSEC_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of VestaCP connections
- api_paste_code=LF_VESTA = "5"
- api_paste_code=LF_VESTA_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable detection of repeated BIND denied requests
- api_paste_code=# This option should be enabled with care as it will prevent blocked IPs from
- api_paste_code=# resolving any domains on the server. You might want to set the trigger value
- api_paste_code=# reasonably high to avoid this
- api_paste_code=# Example: LF_BIND = "100"
- api_paste_code=LF_BIND = "0"
- api_paste_code=LF_BIND_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable detection of repeated suhosin ALERTs
- api_paste_code=# Example: LF_SUHOSIN = "5"
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_SUHOSIN = "0"
- api_paste_code=LF_SUHOSIN_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
- api_paste_code=# This option will block IP addresses if cxs detects a hits from the
- api_paste_code=# ModSecurity rule associated with it
- api_paste_code=#
- api_paste_code=# Note: This option takes precedence over LF_MODSEC and removes any hits
- api_paste_code=# counted towards LF_MODSEC for the cxs rule
- api_paste_code=#
- api_paste_code=# This setting should probably set very low, perhaps to 1, if you want to
- api_paste_code=# effectively block IP addresses for this trigger option
- api_paste_code=LF_CXS = "0"
- api_paste_code=LF_CXS_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable detection of repeated Apache mod_qos rule triggers
- api_paste_code=LF_QOS = "0"
- api_paste_code=LF_QOS_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable detection of repeated Apache symlink race condition triggers from
- api_paste_code=# the Apache patch provided by:
- api_paste_code=# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
- api_paste_code=# This patch has also been included by cPanel via the easyapache option:
- api_paste_code=# "Symlink Race Condition Protection"
- api_paste_code=LF_SYMLINK = "0"
- api_paste_code=LF_SYMLINK_PERM = "1"
- api_paste_code=
- api_paste_code=# [*]Enable login failure detection of webmin connections
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_WEBMIN = "0"
- api_paste_code=LF_WEBMIN_PERM = "1"
- api_paste_code=
- api_paste_code=# Send an email alert if anyone logs in successfully using SSH
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_SSH_EMAIL_ALERT = "1"
- api_paste_code=
- api_paste_code=# Send an email alert if anyone uses su to access another account. This will
- api_paste_code=# send an email alert whether the attempt to use su was successful or not
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_SU_EMAIL_ALERT = "1"
- api_paste_code=
- api_paste_code=# Send an email alert if anyone accesses webmin
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_WEBMIN_EMAIL_ALERT = "1"
- api_paste_code=
- api_paste_code=# Send an email alert if anyone logs in successfully to root on the console
- api_paste_code=#
- api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
- api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
- api_paste_code=LF_CONSOLE_EMAIL_ALERT = "1"
- api_paste_code=
- api_paste_code=# This option will keep track of the number of "File does not exist" errors in
- api_paste_code=# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
- api_paste_code=# seconds then the IP address will be blocked
- api_paste_code=#
- api_paste_code=# Care should be used with this option as it could generate many
- api_paste_code=# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
- api_paste_code=# so only use this option if you know you are under this type of attack
- api_paste_code=#
- api_paste_code=# A sensible setting for this would be quite high, perhaps 200
- api_paste_code=#
- api_paste_code=# To disable set to "0"
- api_paste_code=LF_APACHE_404 = "0"
- api_paste_code=
- api_paste_code=# If this option is set to 1 the blocks will be permanent
- api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
- api_paste_code=# of seconds
- api_paste_code=LF_APACHE_404_PERM = "3600"
- api_paste_code=
- api_paste_code=# This option will keep track of the number of "client denied by server
- api_paste_code=# configuration" errors in HTACCESS_LOG. If the number of hits is more than
- api_paste_code=# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
- api_paste_code=#
- api_paste_code=# Care should be used with this option as it could generate many
- api_paste_code=# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
- api_paste_code=# so only use this option if you know you are under this type of attack
- api_paste_code=#
- api_paste_code=# A sensible setting for this would be quite high, perhaps 200
- api_paste_code=#
- api_paste_code=# To disable set to "0"
- api_paste_code=LF_APACHE_403 = "0"
- api_paste_code=
- api_paste_code=# If this option is set to 1 the blocks will be permanent
- api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
- api_paste_code=# of seconds
- api_paste_code=LF_APACHE_403_PERM = "3600"
- api_paste_code=
- api_paste_code=# This option will keep track of the number of 401 failures in HTACCESS_LOG.
- api_paste_code=# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
- api_paste_code=# the IP address will be blocked
- api_paste_code=#
- api_paste_code=# To disable set to "0"
- api_paste_code=LF_APACHE_401 = "0"
- api_paste_code=
- api_paste_code=# This option is used to determine if the Apache error_log format contains the
- api_paste_code=# client port after the client IP. In Apache prior to v2.4, this was not the
- api_paste_code=# case. In Apache v2.4 the error_log format can be configured using
- api_paste_code=# ErrorLogFormat, making the port directive optional
- api_paste_code=#
- api_paste_code=# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
- api_paste_code=# to the client IP by default. This makes determining client IPv6 addresses
- api_paste_code=# difficult unless we know whether the port is being appended or not
- api_paste_code=#
- api_paste_code=# lfd will attempt to autodetect the correct value if this option is set to "0"
- api_paste_code=# from the httpd binary found in common locations. If it fails to find a binary
- api_paste_code=# it will be set to "2", unless specified here
- api_paste_code=#
- api_paste_code=# The value can be set here explicitly if the autodetection does not work:
- api_paste_code=# 0 - autodetect
- api_paste_code=# 1 - no port directive after client IP
- api_paste_code=# 2 - port directive after client IP
- api_paste_code=LF_APACHE_ERRPORT = "0"
- api_paste_code=
- api_paste_code=# If this option is set to 1 the blocks will be permanent
- api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
- api_paste_code=# of seconds
- api_paste_code=LF_APACHE_401_PERM = "3600"
- api_paste_code=
- api_paste_code=# This option will send an alert if the ModSecurity IP persistent storage grows
- api_paste_code=# excessively large: https://goo.gl/rGh5sF
- api_paste_code=#
- api_paste_code=# More information on cPanel servers here: https://goo.gl/vo6xTE
- api_paste_code=#
- api_paste_code=# LF_MODSECIPDB_FILE must be set to the correct location of the database file
- api_paste_code=#
- api_paste_code=# The check is performed at lfd startup and then once per hour, the template
- api_paste_code=# used is modsecipdbalert.txt
- api_paste_code=#
- api_paste_code=# Set to "0" to disable this option, otherwise it is the threshold size of the
- api_paste_code=# file to report in gigabytes, e.g. set to 5 for 5GB
- api_paste_code=LF_MODSECIPDB_ALERT = "0"
- api_paste_code=
- api_paste_code=# This is the location of the persistent IP storage file on the server, e.g.:
- api_paste_code=# /var/run/modsecurity/data/ip.pag
- api_paste_code=# /var/cpanel/secdatadir/ip.pag
- api_paste_code=# /var/cache/modsecurity/ip.pag
- api_paste_code=# /usr/local/apache/conf/modsec/data/msa/ip.pag
- api_paste_code=# /var/tmp/ip.pag
- api_paste_code=# /tmp/ip.pag
- api_paste_code=LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
- api_paste_code=
- api_paste_code=# System Exploit Checking. This option is designed to perform a series of tests
- api_paste_code=# to send an alert in case a possible server compromise is detected
- api_paste_code=#
- api_paste_code=# To enable this feature set the following to the checking interval in seconds
- api_paste_code=# (a value of 300 would seem sensible).
- api_paste_code=#
- api_paste_code=# To disable set to "0"
- api_paste_code=LF_EXPLOIT = "300"
- api_paste_code=
- api_paste_code=# This comma separated list allows you to ignore tests LF_EXPLOIT performs
- api_paste_code=#
- api_paste_code=# For the SUPERUSER check, you can list usernames in csf.suignore to have them
- api_paste_code=# ignored for that test
- api_paste_code=#
- api_paste_code=# Valid tests are:
- api_paste_code=# SUPERUSER
- api_paste_code=#
- api_paste_code=# If you want to ignore a test add it to this as a comma separated list, e.g.
- api_paste_code=# "SUPERUSER"
- api_paste_code=LF_EXPLOIT_IGNORE = ""
- api_paste_code=
- api_paste_code=# Set the time interval to track login and other LF_ failures within (seconds),
- api_paste_code=# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
- api_paste_code=LF_INTERVAL = "3600"
- api_paste_code=
- api_paste_code=# This is how long the lfd process sleeps (in seconds) before processing the
- api_paste_code=# log file entries and checking whether other events need to be triggered
- api_paste_code=LF_PARSE = "5"
- api_paste_code=
- api_paste_code=# This is the interval that is used to flush reports of usernames, files and
- api_paste_code=# pids so that persistent problems continue to be reported, in seconds.
- api_paste_code=# A value of 3600 seems sensible
- api_paste_code=LF_FLUSH = "3600"
- api_paste_code=
- api_paste_code=# Under some circumstances iptables can fail to include a rule instruction,
- api_paste_code=# especially if more than one request is made concurrently. In this event, a
- api_paste_code=# permanent block entry may exist in csf.deny, but not in iptables.
- api_paste_code=#
- api_paste_code=# This option instructs csf to deny an already blocked IP address the number
- api_paste_code=# of times set. The downside, is that there will be multiple entries for an IP
- api_paste_code=# address in csf.deny and possibly multiple rules for the same IP address in
- api_paste_code=# iptables. This needs to be taken into consideration when unblocking such IP
- api_paste_code=# addresses.
- api_paste_code=#
- api_paste_code=# Set to "0" to disable this feature. Do not set this too high for the reasons
- api_paste_code=# detailed above (e.g. "5" should be more than enough)
- api_paste_code=LF_REPEATBLOCK = "0"
- api_paste_code=
- api_paste_code=# By default csf will create both an inbound and outbound blocks from/to an IP
- api_paste_code=# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
- api_paste_code=# effective way to block IP traffic. This option instructs csf to only block
- api_paste_code=# inbound traffic from those IP's and so reduces the number of iptables rules,
- api_paste_code=# but at the expense of less effectiveness. For this reason we recommend
- api_paste_code=# leaving this option disabled
- api_paste_code=#
- api_paste_code=# Set to "0" to disable this feature - the default
- api_paste_code=LF_BLOCKINONLY = "0"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:CloudFlare
- api_paste_code=###############################################################################
- api_paste_code=# This features provides interaction with the CloudFlare Firewall
- api_paste_code=#
- api_paste_code=# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
- api_paste_code=# iptables is concerned) come from the CloudFlare IP's. To counter this, an
- api_paste_code=# Apache module (mod_cloudflare) is available that obtains the true attackers
- api_paste_code=# IP from a custom HTTP header record (similar functionality is available
- api_paste_code=# for other HTTP daemons
- api_paste_code=#
- api_paste_code=# However, despite now knowing the true attacking IP address, iptables cannot
- api_paste_code=# be used to block that IP as the traffic is still coming from the CloudFlare
- api_paste_code=# servers
- api_paste_code=#
- api_paste_code=# CloudFlare have provided a Firewall feature within the user account where
- api_paste_code=# rules can be added to block, challenge or whitelist IP addresses
- api_paste_code=#
- api_paste_code=# Using the CloudFlare API, this feature adds and removes attacking IPs from
- api_paste_code=# that firewall and provides CLI (and via the UI) additional commands
- api_paste_code=#
- api_paste_code=# See /etc/csf/readme.txt for more information about this feature and the
- api_paste_code=# restrictions for its use BEFORE enabling this feature
- api_paste_code=CF_ENABLE = "0"
- api_paste_code=
- api_paste_code=# This can be set to either "block" or "challenge" (see CloudFlare docs)
- api_paste_code=CF_BLOCK = "block"
- api_paste_code=
- api_paste_code=# This setting determines how long the temporary block will apply within csf
- api_paste_code=# and CloudFlare, keeping them in sync
- api_paste_code=#
- api_paste_code=# Block duration in seconds - overrides perm block or time of individual blocks
- api_paste_code=# in lfd for block triggers
- api_paste_code=CF_TEMP = "3600"
- api_paste_code=
- api_paste_code=###############################################################################
- api_paste_code=# SECTION:Directory Watching
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement