SHARE
TWEET

Untitled

a guest Dec 12th, 2019 343 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###############################################################################
  2. api_paste_code=# SECTION:Initial Settings
  3. api_paste_code=###############################################################################
  4. api_paste_code=# Testing flag - enables a CRON job that clears iptables incase of
  5. api_paste_code=# configuration problems when you start csf. This should be enabled until you
  6. api_paste_code=# are sure that the firewall works - i.e. incase you get locked out of your
  7. api_paste_code=# server! Then do remember to set it to 0 and restart csf when you're sure
  8. api_paste_code=# everything is OK. Stopping csf will remove the line from /etc/crontab
  9. api_paste_code=#
  10. api_paste_code=# lfd will not start while this is enabled
  11. api_paste_code=TESTING = "0"
  12. api_paste_code=
  13. api_paste_code=# The interval for the crontab in minutes. Since this uses the system clock the
  14. api_paste_code=# CRON job will run at the interval past the hour and not from when you issue
  15. api_paste_code=# the start command. Therefore an interval of 5 minutes means the firewall
  16. api_paste_code=# will be cleared in 0-5 minutes from the firewall start
  17. api_paste_code=TESTING_INTERVAL = "5"
  18. api_paste_code=
  19. api_paste_code=# SECURITY WARNING
  20. api_paste_code=# ================
  21. api_paste_code=#
  22. api_paste_code=# Unfortunately, syslog and rsyslog allow end-users to log messages to some
  23. api_paste_code=# system logs via the same unix socket that other local services use. This
  24. api_paste_code=# means that any log line shown in these system logs that syslog or rsyslog
  25. api_paste_code=# maintain can be spoofed (they are exactly the same as real log lines).
  26. api_paste_code=#
  27. api_paste_code=# Since some of the features of lfd rely on such log lines, spoofed messages
  28. api_paste_code=# can cause false-positive matches which can lead to confusion at best, or
  29. api_paste_code=# blocking of any innocent IP address or making the server inaccessible at
  30. api_paste_code=# worst.
  31. api_paste_code=#
  32. api_paste_code=# Any option that relies on the log entries in the files listed in
  33. api_paste_code=# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
  34. api_paste_code=# vulnerable to exploitation by end-users and scripts run by end-users.
  35. api_paste_code=#
  36. api_paste_code=# NOTE: Not all log files are affected as they may not use syslog/rsyslog
  37. api_paste_code=#
  38. api_paste_code=# The option RESTRICT_SYSLOG disables all these features that rely on affected
  39. api_paste_code=# logs. These options are:
  40. api_paste_code=# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
  41. api_paste_code=# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
  42. api_paste_code=# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
  43. api_paste_code=# PORTKNOCKING_ALERT
  44. api_paste_code=#
  45. api_paste_code=# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
  46. api_paste_code=# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
  47. api_paste_code=#
  48. api_paste_code=# The following options are still enabled by default on new installations so
  49. api_paste_code=# that, on balance, csf/lfd still provides expected levels of security:
  50. api_paste_code=# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
  51. api_paste_code=#
  52. api_paste_code=# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
  53. api_paste_code=# above, it should be done with the knowledge that any of the those options
  54. api_paste_code=# that are enabled could be triggered by spoofed log lines and lead to the
  55. api_paste_code=# server being inaccessible in the worst case. If you do not want to take that
  56. api_paste_code=# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
  57. api_paste_code=# but you will not be protected from the exploits that they normally help block
  58. api_paste_code=#
  59. api_paste_code=# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
  60. api_paste_code=# the syslog/rsyslog unix socket.
  61. api_paste_code=#
  62. api_paste_code=# For further advice on how to help mitigate these issues, see
  63. api_paste_code=# /etc/csf/readme.txt
  64. api_paste_code=#
  65. api_paste_code=# 0 = Allow those options listed above to be used and configured
  66. api_paste_code=# 1 = Disable all the options listed above and prevent them from being used
  67. api_paste_code=# 2 = Disable only alerts about this feature and do nothing else
  68. api_paste_code=# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
  69. api_paste_code=RESTRICT_SYSLOG = "3"
  70. api_paste_code=
  71. api_paste_code=# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
  72. api_paste_code=# write access to the syslog/rsyslog unix socket(s). The group must not already
  73. api_paste_code=# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
  74. api_paste_code=# to a unique name for the server
  75. api_paste_code=#
  76. api_paste_code=# You can add users to this group by changing /etc/csf/csf.syslogusers and then
  77. api_paste_code=# restarting lfd afterwards. This will create the system group and add the
  78. api_paste_code=# users from csf.syslogusers if they exist to that group and will change the
  79. api_paste_code=# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
  80. api_paste_code=# monitored and the permissions re-applied should syslog/rsyslog be restarted
  81. api_paste_code=#
  82. api_paste_code=# Using this option will prevent some legitimate logging, e.g. end-user cron
  83. api_paste_code=# job logs
  84. api_paste_code=#
  85. api_paste_code=# If you want to revert RESTRICT_SYSLOG to another option and disable this
  86. api_paste_code=# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
  87. api_paste_code=# syslog/rsyslog and the unix sockets will be reset
  88. api_paste_code=RESTRICT_SYSLOG_GROUP = "mysyslog"
  89. api_paste_code=
  90. api_paste_code=# This options restricts the ability to modify settings within this file from
  91. api_paste_code=# the csf UI. Should the parent control panel be compromised, these restricted
  92. api_paste_code=# options could be used to further compromise the server. For this reason we
  93. api_paste_code=# recommend leaving this option set to at least "1" and if any of the
  94. api_paste_code=# restricted items need to be changed, they are done so from the root shell
  95. api_paste_code=#
  96. api_paste_code=# 0 = Unrestricted UI
  97. api_paste_code=# 1 = Restricted UI
  98. api_paste_code=# 2 = Disabled UI
  99. api_paste_code=RESTRICT_UI = "1"
  100. api_paste_code=
  101. api_paste_code=# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
  102. api_paste_code=# runs once per day to see if there is an update to csf lfd and upgrades if
  103. api_paste_code=# available and restarts csf and lfd
  104. api_paste_code=#
  105. api_paste_code=# You should check for new version announcements at http://blog.configserver.com
  106. api_paste_code=AUTO_UPDATES = "1"
  107. api_paste_code=
  108. api_paste_code=###############################################################################
  109. api_paste_code=# SECTION:IPv4 Port Settings
  110. api_paste_code=###############################################################################
  111. api_paste_code=# Lists of ports in the following comma separated lists can be added using a
  112. api_paste_code=# colon (e.g. 30000:35000).
  113. api_paste_code=
  114. api_paste_code=# Some kernel/iptables setups do not perform stateful connection tracking
  115. api_paste_code=# correctly (typically some virtual servers or custom compiled kernels), so a
  116. api_paste_code=# SPI firewall will not function correctly. If this happens, LF_SPI can be set
  117. api_paste_code=# to 0 to reconfigure csf as a static firewall.
  118. api_paste_code=#
  119. api_paste_code=# As connection tracking will not be configured, applications that rely on it
  120. api_paste_code=# will not function unless all outgoing ports are opened. Therefore, all
  121. api_paste_code=# outgoing connections will be allowed once all other tests have completed. So
  122. api_paste_code=# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
  123. api_paste_code=#
  124. api_paste_code=# If you allow incoming DNS lookups you may need to use the following
  125. api_paste_code=# directive in the options{} section of your named.conf:
  126. api_paste_code=#
  127. api_paste_code=#        query-source port 53;
  128. api_paste_code=#
  129. api_paste_code=# This will force incoming DNS traffic only through port 53
  130. api_paste_code=#
  131. api_paste_code=# Disabling this option will break firewall functionality that relies on
  132. api_paste_code=# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
  133. api_paste_code=# less secure
  134. api_paste_code=#
  135. api_paste_code=# This option should be set to "1" in all other circumstances
  136. api_paste_code=LF_SPI = "1"
  137. api_paste_code=
  138. api_paste_code=# Allow incoming TCP ports
  139. api_paste_code=TCP_IN = "20:22,25,53,80,110,143,443,465,587,873,953,993,995,2077:2096,2222,2525,2812,3306,5001:5209,5566,8080,8083,8443,10000,12000:12100,30000:30100,35000:35999,37210,40000:42000,59999:60300"
  140. api_paste_code=
  141. api_paste_code=# Allow outgoing TCP ports
  142. api_paste_code=TCP_OUT = "20:22,25,43,53,80,110,113,443,465,587,873,953,995,2077:2096,5001:5209,8080,8083,12000:12100,40000:42000"
  143. api_paste_code=
  144. api_paste_code=# Allow incoming UDP ports
  145. api_paste_code=UDP_IN = "20,21,53,5001:5209,12000:12100,40000:42000"
  146. api_paste_code=
  147. api_paste_code=# Allow outgoing UDP ports
  148. api_paste_code=# To allow outgoing traceroute add 33434:33523 to this list
  149. api_paste_code=UDP_OUT = "20,21,53,113,123,5001:5209,12000:12100,40000:42000"
  150. api_paste_code=
  151. api_paste_code=# Allow incoming PING. Disabling PING will likely break external uptime
  152. api_paste_code=# monitoring
  153. api_paste_code=ICMP_IN = "1"
  154. api_paste_code=
  155. api_paste_code=# Set the per IP address incoming ICMP packet rate for PING requests. This
  156. api_paste_code=# ratelimits PING requests which if exceeded results in silently rejected
  157. api_paste_code=# packets. Disable or increase this value if you are seeing PING drops that you
  158. api_paste_code=# do not want
  159. api_paste_code=#
  160. api_paste_code=# To disable rate limiting set to "0", otherwise set according to the iptables
  161. api_paste_code=# documentation for the limit module. For example, "1/s" will limit to one
  162. api_paste_code=# packet per second
  163. api_paste_code=ICMP_IN_RATE = "1/s"
  164. api_paste_code=
  165. api_paste_code=# Allow outgoing PING
  166. api_paste_code=#
  167. api_paste_code=# Unless there is a specific reason, this option should NOT be disabled as it
  168. api_paste_code=# could break OS functionality
  169. api_paste_code=ICMP_OUT = "1"
  170. api_paste_code=
  171. api_paste_code=# Set the per IP address outgoing ICMP packet rate for PING requests. This
  172. api_paste_code=# ratelimits PING requests which if exceeded results in silently rejected
  173. api_paste_code=# packets. Disable or increase this value if you are seeing PING drops that you
  174. api_paste_code=# do not want
  175. api_paste_code=#
  176. api_paste_code=# Unless there is a specific reason, this option should NOT be enabled as it
  177. api_paste_code=# could break OS functionality
  178. api_paste_code=#
  179. api_paste_code=# To disable rate limiting set to "0", otherwise set according to the iptables
  180. api_paste_code=# documentation for the limit module. For example, "1/s" will limit to one
  181. api_paste_code=# packet per second
  182. api_paste_code=ICMP_OUT_RATE = "0"
  183. api_paste_code=
  184. api_paste_code=# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
  185. api_paste_code=# should be dropped, you can enable the following option. Otherwise, there
  186. api_paste_code=# appears to be little evidence that it has anything to do with a security risk
  187. api_paste_code=# and can impact network performance, so should be left disabled by everyone
  188. api_paste_code=# else
  189. api_paste_code=ICMP_TIMESTAMPDROP = "0"
  190. api_paste_code=
  191. api_paste_code=###############################################################################
  192. api_paste_code=# SECTION:IPv6 Port Settings
  193. api_paste_code=###############################################################################
  194. api_paste_code=# IPv6: (Requires ip6tables)
  195. api_paste_code=#
  196. api_paste_code=# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
  197. api_paste_code=# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
  198. api_paste_code=#
  199. api_paste_code=# Supported:
  200. api_paste_code=# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
  201. api_paste_code=# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
  202. api_paste_code=# SYNFLOOD, LF_NETBLOCK
  203. api_paste_code=#
  204. api_paste_code=# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
  205. api_paste_code=# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
  206. api_paste_code=# CC_ALLOW_SMTPAUTH
  207. api_paste_code=#
  208. api_paste_code=# Supported if ip6tables >= 1.4.3:
  209. api_paste_code=# PORTFLOOD, CONNLIMIT
  210. api_paste_code=#
  211. api_paste_code=# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
  212. api_paste_code=# installed:
  213. api_paste_code=# MESSENGER DOCKER SMTP_REDIRECT
  214. api_paste_code=#
  215. api_paste_code=# Not supported:
  216. api_paste_code=# ICMP_IN, ICMP_OUT
  217. api_paste_code=#
  218. api_paste_code=IPV6 = "1"
  219. api_paste_code=
  220. api_paste_code=# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
  221. api_paste_code=# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
  222. api_paste_code=# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
  223. api_paste_code=# connection types
  224. api_paste_code=IPV6_ICMP_STRICT = "0"
  225. api_paste_code=
  226. api_paste_code=# Pre v2.6.20 kernel must set this option to "0" as no working state module is
  227. api_paste_code=# present, so a static firewall is configured as a fallback
  228. api_paste_code=#
  229. api_paste_code=# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
  230. api_paste_code=# not support IPv6 connection tracking by opening ephemeral port range
  231. api_paste_code=# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
  232. api_paste_code=# same workaround implemented by RedHat in the sample default IPv6 rules
  233. api_paste_code=#
  234. api_paste_code=# As connection tracking will not be configured, applications that rely on it
  235. api_paste_code=# will not function unless all outgoing ports are opened. Therefore, all
  236. api_paste_code=# outgoing connections will be allowed once all other tests have completed. So
  237. api_paste_code=# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
  238. api_paste_code=#
  239. api_paste_code=# If you allow incoming ipv6 DNS lookups you may need to use the following
  240. api_paste_code=# directive in the options{} section of your named.conf:
  241. api_paste_code=#
  242. api_paste_code=#        query-source-v6 port 53;
  243. api_paste_code=#
  244. api_paste_code=# This will force ipv6 incoming DNS traffic only through port 53
  245. api_paste_code=#
  246. api_paste_code=# These changes are not necessary if the SPI firewall is used
  247. api_paste_code=IPV6_SPI = "1"
  248. api_paste_code=
  249. api_paste_code=# Allow incoming IPv6 TCP ports
  250. api_paste_code=TCP6_IN = "20:22,25,53,80,110,143,443,465,587,873,953,993,995,2077:2096,2222,2525,2812,3306,5001:5209,5566,8080,8083,8443,10000,12000:12100,30000:30100,35000:35999,37210,40000:42000,59999:60300"
  251. api_paste_code=
  252. api_paste_code=# Allow outgoing IPv6 TCP ports
  253. api_paste_code=TCP6_OUT = "20:22,25,43,53,80,110,113,443,465,587,873,953,995,2077:2096,5001:5209,8080,8083,12000:12100,33434:33523,40000:42000"
  254. api_paste_code=
  255. api_paste_code=# Allow incoming IPv6 UDP ports
  256. api_paste_code=UDP6_IN = "20,21,53,5001:5209,12000:12100,40000:42000"
  257. api_paste_code=
  258. api_paste_code=# Allow outgoing IPv6 UDP ports
  259. api_paste_code=# To allow outgoing traceroute add 33434:33523 to this list
  260. api_paste_code=UDP6_OUT = "20,21,53,113,123,5001:5209,12000:12100,33434:33523,40000:42000"
  261. api_paste_code=
  262. api_paste_code=###############################################################################
  263. api_paste_code=# SECTION:General Settings
  264. api_paste_code=###############################################################################
  265. api_paste_code=# By default, csf will auto-configure iptables to filter all traffic except on
  266. api_paste_code=# the loopback device. If you only want iptables rules applied to a specific
  267. api_paste_code=# NIC, then list it here (e.g. eth1, or eth )
  268. api_paste_code=ETH_DEVICE = "eth0"
  269. api_paste_code=
  270. api_paste_code=# By adding a device to this option, ip6tables can be configured only on the
  271. api_paste_code=# specified device. Otherwise, ETH_DEVICE and then the default setting will be
  272. api_paste_code=# used
  273. api_paste_code=#ETH6_DEVICE = "eth0"
  274. api_paste_code=
  275. api_paste_code=# If you don't want iptables rules applied to specific NICs, then list them in
  276. api_paste_code=# a comma separated list (e.g "eth1,eth2")
  277. api_paste_code=ETH_DEVICE_SKIP = ""
  278. api_paste_code=
  279. api_paste_code=# This option should be enabled unless the kernel does not support the
  280. api_paste_code=# "conntrack" module
  281. api_paste_code=#
  282. api_paste_code=# To use the deprecated iptables "state" module, change this to 0
  283. api_paste_code=USE_CONNTRACK = "1"
  284. api_paste_code=
  285. api_paste_code=# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34 )
  286. api_paste_code=# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
  287. api_paste_code=# This will also remove the RELATED target from the global state iptables rule
  288. api_paste_code=#
  289. api_paste_code=# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
  290. api_paste_code=# the raw tables do not exist. The USE_CONNTRACK option should be enabled
  291. api_paste_code=#
  292. api_paste_code=# To enable this option, set it to your FTP server listening port number
  293. api_paste_code=# (normally 21), do NOT set it to "1"
  294. api_paste_code=USE_FTPHELPER = "0"
  295. api_paste_code=
  296. api_paste_code=# Check whether syslog is running. Many of the lfd checks require syslog to be
  297. api_paste_code=# running correctly. This test will send a coded message to syslog every
  298. api_paste_code=# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
  299. api_paste_code=# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
  300. api_paste_code=# syslogalert.txt is sent
  301. api_paste_code=#
  302. api_paste_code=# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
  303. api_paste_code=SYSLOG_CHECK = "0"
  304. api_paste_code=
  305. api_paste_code=# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
  306. api_paste_code=# listed in csf.allow in addition to csf.ignore (the default). This option
  307. api_paste_code=# should be used with caution as it would mean that IP's allowed through the
  308. api_paste_code=# firewall from infected PC's could launch attacks on the server that lfd
  309. api_paste_code=# would ignore
  310. api_paste_code=IGNORE_ALLOW = "1"
  311. api_paste_code=
  312. api_paste_code=# Enable the following option if you want to apply strict iptables rules to DNS
  313. api_paste_code=# traffic (i.e. relying on iptables connection tracking). Enabling this option
  314. api_paste_code=# could cause DNS resolution issues both to and from the server but could help
  315. api_paste_code=# prevent abuse of the local DNS server
  316. api_paste_code=DNS_STRICT = "0"
  317. api_paste_code=
  318. api_paste_code=# Enable the following option if you want to apply strict iptables rules to DNS
  319. api_paste_code=# traffic between the server and the nameservers listed in /etc/resolv.conf
  320. api_paste_code=# Enabling this option could cause DNS resolution issues both to and from the
  321. api_paste_code=# server but could help prevent abuse of the local DNS server
  322. api_paste_code=DNS_STRICT_NS = "0"
  323. api_paste_code=
  324. api_paste_code=# Limit the number of IP's kept in the /etc/csf/csf.deny file
  325. api_paste_code=#
  326. api_paste_code=# Care should be taken when increasing this value on servers with low memory
  327. api_paste_code=# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
  328. api_paste_code=# thousands) can sometimes cause network slowdown
  329. api_paste_code=#
  330. api_paste_code=# The value set here is the maximum number of IPs/CIDRs allowed
  331. api_paste_code=# if the limit is reached, the entries will be rotated so that the oldest
  332. api_paste_code=# entries (i.e. the ones at the top) will be removed and the latest is added.
  333. api_paste_code=# The limit is only checked when using csf -d (which is what lfd also uses)
  334. api_paste_code=# Set to 0 to disable limiting
  335. api_paste_code=#
  336. api_paste_code=# For implementations wishing to set this value significantly higher, we
  337. api_paste_code=# recommend using the IPSET option
  338. api_paste_code=DENY_IP_LIMIT = "200"
  339. api_paste_code=
  340. api_paste_code=# Limit the number of IP's kept in the temprary IP ban list. If the limit is
  341. api_paste_code=# reached the oldest IP's in the ban list will be removed and allowed
  342. api_paste_code=# regardless of the amount of time remaining for the block
  343. api_paste_code=# Set to 0 to disable limiting
  344. api_paste_code=DENY_TEMP_IP_LIMIT = "100"
  345. api_paste_code=
  346. api_paste_code=# Enable login failure detection daemon (lfd). If set to 0 none of the
  347. api_paste_code=# following settings will have any effect as the daemon won't start.
  348. api_paste_code=LF_DAEMON = "1"
  349. api_paste_code=
  350. api_paste_code=# Check whether csf appears to have been stopped and restart if necessary,
  351. api_paste_code=# unless TESTING is enabled above. The check is done every 300 seconds
  352. api_paste_code=LF_CSF = "1"
  353. api_paste_code=
  354. api_paste_code=# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
  355. api_paste_code=# IP6TABLES_RESTORE in two ways:
  356. api_paste_code=#
  357. api_paste_code=# 1. On a clean server reboot the entire csf iptables configuration is saved
  358. api_paste_code=#    and then restored where possible to provide a near instant firewall
  359. api_paste_code=#    startup[*]
  360. api_paste_code=#
  361. api_paste_code=# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
  362. api_paste_code=#    BOGON, TOR are loaded using this method in a fraction of the time than if
  363. api_paste_code=#    this setting is disabled
  364. api_paste_code=#
  365. api_paste_code=# [*]Not supported on all OS platforms
  366. api_paste_code=#
  367. api_paste_code=# Set to "0" to disable this functionality
  368. api_paste_code=FASTSTART = "1"
  369. api_paste_code=
  370. api_paste_code=# This option allows you to use ipset v6  for the following csf options:
  371. api_paste_code=# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
  372. api_paste_code=# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
  373. api_paste_code=#
  374. api_paste_code=# ipset will only be used with the above options when listing IPs and CIDRs.
  375. api_paste_code=# Advanced Allow Filters and temporary blocks use traditional iptables
  376. api_paste_code=#
  377. api_paste_code=# Using ipset moves the onus of ip matching against large lists away from
  378. api_paste_code=# iptables rules and to a purpose built and optimised database matching
  379. api_paste_code=# utility. It also simplifies the switching in of updated lists
  380. api_paste_code=#
  381. api_paste_code=# To use this option you must have a fully functioning installation of ipset
  382. api_paste_code=# installed either via rpm or source from http://ipset.netfilter.org/
  383. api_paste_code=#
  384. api_paste_code=# Note: Using ipset has many advantages, some disadvantages are that you will
  385. api_paste_code=# no longer see packet and byte counts against IPs and it makes identifying
  386. api_paste_code=# blocked/allowed IPs that little bit harder
  387. api_paste_code=#
  388. api_paste_code=# Note: If you mainly use IP address only entries in csf.deny, you can increase
  389. api_paste_code=# the value of DENY_IP_LIMIT significantly if you wish
  390. api_paste_code=#
  391. api_paste_code=# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
  392. api_paste_code=# containers even if it has been installed
  393. api_paste_code=#
  394. api_paste_code=# If you find any problems, please post on forums.configserver.com with full
  395. api_paste_code=# details of the issue
  396. api_paste_code=LF_IPSET = "1"
  397. api_paste_code=
  398. api_paste_code=# Versions of iptables greater or equal to v1.4.20 should support the --wait
  399. api_paste_code=# option. This forces iptables commands that use the option to wait until a
  400. api_paste_code=# lock by any other process using iptables completes, rather than simply
  401. api_paste_code=# failing
  402. api_paste_code=#
  403. api_paste_code=# Enabling this feature will add the --wait option to iptables commands
  404. api_paste_code=#
  405. api_paste_code=# NOTE: The disadvantage of using this option is that any iptables command that
  406. api_paste_code=# uses it will hang until the lock is released. This could cause a cascade of
  407. api_paste_code=# hung processes trying to issue iptables commands. To try and avoid this issue
  408. api_paste_code=# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
  409. api_paste_code=# a failure if reached
  410. api_paste_code=WAITLOCK = "1"
  411. api_paste_code=WAITLOCK_TIMEOUT = "300"
  412. api_paste_code=
  413. api_paste_code=# The following sets the hashsize for ipset sets, which must be a power of 2.
  414. api_paste_code=#
  415. api_paste_code=# Note: Increasing this value will consume more memory for all sets
  416. api_paste_code=# Default: "1024"
  417. api_paste_code=LF_IPSET_HASHSIZE = "1024"
  418. api_paste_code=
  419. api_paste_code=# The following sets the maxelem for ipset sets.
  420. api_paste_code=#
  421. api_paste_code=# Note: Increasing this value will consume more memory for all sets
  422. api_paste_code=# Default: "65536"
  423. api_paste_code=LF_IPSET_MAXELEM = "65536"
  424. api_paste_code=
  425. api_paste_code=# If you enable this option then whenever a CLI request to restart csf is used
  426. api_paste_code=# lfd will restart csf instead within LF_PARSE seconds
  427. api_paste_code=#
  428. api_paste_code=# This feature can be helpful for restarting configurations that cannot use
  429. api_paste_code=# FASTSTART
  430. api_paste_code=LFDSTART = "0"
  431. api_paste_code=
  432. api_paste_code=# Enable verbose output of iptables commands
  433. api_paste_code=VERBOSE = "1"
  434. api_paste_code=
  435. api_paste_code=# Drop out of order packets and packets in an INVALID state in iptables
  436. api_paste_code=# connection tracking
  437. api_paste_code=PACKET_FILTER = "1"
  438. api_paste_code=
  439. api_paste_code=# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
  440. api_paste_code=LF_LOOKUPS = "1"
  441. api_paste_code=
  442. api_paste_code=# Custom styling is possible in the csf UI. See the readme.txt for more
  443. api_paste_code=# information under "UI skinning and Mobile View"
  444. api_paste_code=#
  445. api_paste_code=# This option enables the use of custom styling. If the styling fails to work
  446. api_paste_code=# correctly, e.g. custom styling does not take into account a change in the
  447. api_paste_code=# standard csf UI, then disabling this option will return the standard UI
  448. api_paste_code=STYLE_CUSTOM = "0"
  449. api_paste_code=
  450. api_paste_code=# This option disables the presence of the Mobile View in the csf UI
  451. api_paste_code=STYLE_MOBILE = "1"
  452. api_paste_code=
  453. api_paste_code=###############################################################################
  454. api_paste_code=# SECTION:SMTP Settings
  455. api_paste_code=###############################################################################
  456. api_paste_code=# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
  457. api_paste_code=# to use the exim/sendmail binary instead of sockets access). This replaces the
  458. api_paste_code=# protection as WHM > Tweak Settings > SMTP Tweaks
  459. api_paste_code=#
  460. api_paste_code=# This option uses the iptables ipt_owner/xt_owner module and must be loaded
  461. api_paste_code=# for it to work. It may not be available on some VPS platforms
  462. api_paste_code=#
  463. api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
  464. api_paste_code=# this server
  465. api_paste_code=SMTP_BLOCK = "0"
  466. api_paste_code=
  467. api_paste_code=# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
  468. api_paste_code=# on the server (e.g. for webmail or web scripts) then enable this option to
  469. api_paste_code=# allow outgoing SMTP connections to the loopback device
  470. api_paste_code=SMTP_ALLOWLOCAL = "1"
  471. api_paste_code=
  472. api_paste_code=# This option redirects outgoing SMTP connections destined for remote servers
  473. api_paste_code=# for non-bypass users to the local SMTP server to force local relaying of
  474. api_paste_code=# email. Such email may require authentication (SMTP AUTH)
  475. api_paste_code=SMTP_REDIRECT = "0"
  476. api_paste_code=
  477. api_paste_code=# This is a comma separated list of the ports to block. You should list all
  478. api_paste_code=# ports that exim is configured to listen on
  479. api_paste_code=SMTP_PORTS = "25,465,587"
  480. api_paste_code=
  481. api_paste_code=# Always allow the following comma separated users and groups to bypass
  482. api_paste_code=# SMTP_BLOCK
  483. api_paste_code=#
  484. api_paste_code=# Note: root (UID:0) is always allowed
  485. api_paste_code=SMTP_ALLOWUSER = ""
  486. api_paste_code=SMTP_ALLOWGROUP = "admin,mail,mailman"
  487. api_paste_code=
  488. api_paste_code=# This option will only allow SMTP AUTH to be advertised to the IP addresses
  489. api_paste_code=# listed in /etc/csf/csf.smtpauth on EXIM mail servers
  490. api_paste_code=#
  491. api_paste_code=# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
  492. api_paste_code=# additionally restrict access to specific countries
  493. api_paste_code=#
  494. api_paste_code=# This is to help limit attempts at distributed attacks against SMTP AUTH which
  495. api_paste_code=# are difficult to achive since port 25 needs to be open to relay email
  496. api_paste_code=#
  497. api_paste_code=# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
  498. api_paste_code=# connection, then SMTP AUTH will not accept logins, defeating the attacks
  499. api_paste_code=# without restricting mail relaying
  500. api_paste_code=#
  501. api_paste_code=# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
  502. api_paste_code=# that the lookup file in /etc/exim.smtpauth is regenerated from the
  503. api_paste_code=# information from /etc/csf/csf.smtpauth plus any countries listed in
  504. api_paste_code=# CC_ALLOW_SMTPAUTH
  505. api_paste_code=#
  506. api_paste_code=# NOTE: To make this option work you MUST make the modifications to exim.conf
  507. api_paste_code=# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
  508. api_paste_code=# after enabling the option here, otherwise this option will not work
  509. api_paste_code=#
  510. api_paste_code=# To enable this option, set to 1 and make the exim configuration changes
  511. api_paste_code=# To disable this option, set to 0 and undo the exim configuration changes
  512. api_paste_code=SMTPAUTH_RESTRICT = "0"
  513. api_paste_code=
  514. api_paste_code=###############################################################################
  515. api_paste_code=# SECTION:Port Flood Settings
  516. api_paste_code=###############################################################################
  517. api_paste_code=# Enable SYN Flood Protection. This option configures iptables to offer some
  518. api_paste_code=# protection from tcp SYN packet DOS attempts. You should set the RATE so that
  519. api_paste_code=# false-positives are kept to a minimum otherwise visitors may see connection
  520. api_paste_code=# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
  521. api_paste_code=# man page for the correct --limit rate syntax
  522. api_paste_code=#
  523. api_paste_code=# Note: This option should ONLY be enabled if you know you are under a SYN
  524. api_paste_code=# flood attack as it will slow down all new connections from any IP address to
  525. api_paste_code=# the server if triggered
  526. api_paste_code=SYNFLOOD = "0"
  527. api_paste_code=SYNFLOOD_RATE = "100/s"
  528. api_paste_code=SYNFLOOD_BURST = "150"
  529. api_paste_code=
  530. api_paste_code=# Connection Limit Protection. This option configures iptables to offer more
  531. api_paste_code=# protection from DOS attacks against specific ports. It can also be used as a
  532. api_paste_code=# way to simply limit resource usage by IP address to specific server services.
  533. api_paste_code=# This option limits the number of concurrent new connections per IP address
  534. api_paste_code=# that can be made to specific ports
  535. api_paste_code=#
  536. api_paste_code=# This feature does not work on servers that do not have the iptables module
  537. api_paste_code=# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
  538. api_paste_code=# server admins should check with their VPS host provider that the iptables
  539. api_paste_code=# module is included
  540. api_paste_code=#
  541. api_paste_code=# For further information and syntax refer to the Connection Limit Protection
  542. api_paste_code=# section of the csf readme.txt
  543. api_paste_code=#
  544. api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
  545. api_paste_code=# this server
  546. api_paste_code=CONNLIMIT = ""
  547. api_paste_code=
  548. api_paste_code=# Port Flood Protection. This option configures iptables to offer protection
  549. api_paste_code=# from DOS attacks against specific ports. This option limits the number of
  550. api_paste_code=# new connections per time interval that can be made to specific ports
  551. api_paste_code=#
  552. api_paste_code=# This feature does not work on servers that do not have the iptables module
  553. api_paste_code=# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
  554. api_paste_code=# server admins should check with their VPS host provider that the iptables
  555. api_paste_code=# module is included
  556. api_paste_code=#
  557. api_paste_code=# For further information and syntax refer to the Port Flood Protection
  558. api_paste_code=# section of the csf readme.txt
  559. api_paste_code=#
  560. api_paste_code=# Note: Run /etc/csf/csftest.pl to check whether this option will function on
  561. api_paste_code=# this server
  562. api_paste_code=PORTFLOOD = ""
  563. api_paste_code=# PORTFLOOD = "21;tcp;10;60,53;tcp;10;60,80;tcp;10;60,443;tcp;10;60"
  564. api_paste_code=
  565. api_paste_code=
  566. api_paste_code=# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
  567. api_paste_code=# These typically originate from exploit scripts uploaded through vulnerable
  568. api_paste_code=# web scripts. Care should be taken on servers that use services that utilise
  569. api_paste_code=# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
  570. api_paste_code=# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
  571. api_paste_code=#
  572. api_paste_code=# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
  573. api_paste_code=UDPFLOOD = "0"
  574. api_paste_code=UDPFLOOD_LIMIT = "100/s"
  575. api_paste_code=UDPFLOOD_BURST = "500"
  576. api_paste_code=
  577. api_paste_code=# This is a list of usernames that should not be rate limited, such as "named"
  578. api_paste_code=# to prevent bind traffic from being limited.
  579. api_paste_code=#
  580. api_paste_code=# Note: root (UID:0) is always allowed
  581. api_paste_code=UDPFLOOD_ALLOWUSER = "named"
  582. api_paste_code=
  583. api_paste_code=###############################################################################
  584. api_paste_code=# SECTION:Logging Settings
  585. api_paste_code=###############################################################################
  586. api_paste_code=# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
  587. api_paste_code=# perl module Sys::Syslog installed to use this feature
  588. api_paste_code=SYSLOG = "0"
  589. api_paste_code=
  590. api_paste_code=# Drop target for incoming iptables rules. This can be set to either DROP or
  591. api_paste_code=# REJECT. REJECT will send back an error packet, DROP will not respond at all.
  592. api_paste_code=# REJECT is more polite, however it does provide extra information to a hacker
  593. api_paste_code=# and lets them know that a firewall is blocking their attempts. DROP hangs
  594. api_paste_code=# their connection, thereby frustrating attempts to port scan the server
  595. api_paste_code=DROP = "DROP"
  596. api_paste_code=
  597. api_paste_code=# Drop target for outgoing iptables rules. This can be set to either DROP or
  598. api_paste_code=# REJECT as with DROP, however as such connections are from this server it is
  599. api_paste_code=# better to REJECT connections to closed ports rather than to DROP them. This
  600. api_paste_code=# helps to immediately free up server resources rather than tying them up until
  601. api_paste_code=# a connection times out. It also tells the process making the connection that
  602. api_paste_code=# it has immediately failed
  603. api_paste_code=#
  604. api_paste_code=# It is possible that some monolithic kernels may not support the REJECT
  605. api_paste_code=# target. If this is the case, csf checks before using REJECT and falls back to
  606. api_paste_code=# using DROP, issuing a warning to set this to DROP instead
  607. api_paste_code=DROP_OUT = "REJECT"
  608. api_paste_code=
  609. api_paste_code=# Enable logging of dropped connections to blocked ports to syslog, usually
  610. api_paste_code=# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
  611. api_paste_code=DROP_LOGGING = "1"
  612. api_paste_code=
  613. api_paste_code=# Enable logging of dropped incoming connections from blocked IP addresses
  614. api_paste_code=#
  615. api_paste_code=# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
  616. api_paste_code=DROP_IP_LOGGING = "0"
  617. api_paste_code=
  618. api_paste_code=# Enable logging of dropped outgoing connections
  619. api_paste_code=#
  620. api_paste_code=# Note: Only outgoing SYN packets for TCP connections are logged, other
  621. api_paste_code=# protocols log all packets
  622. api_paste_code=#
  623. api_paste_code=# We recommend that you enable this option
  624. api_paste_code=DROP_OUT_LOGGING = "1"
  625. api_paste_code=
  626. api_paste_code=# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
  627. api_paste_code=# out (where available) which can help track abuse
  628. api_paste_code=DROP_UID_LOGGING = "1"
  629. api_paste_code=
  630. api_paste_code=# Only log incoming reserved port dropped connections (0:1023). This can reduce
  631. api_paste_code=# the amount of log noise from dropped connections, but will affect options
  632. api_paste_code=# such as Port Scan Tracking (PS_INTERVAL)
  633. api_paste_code=DROP_ONLYRES = "0"
  634. api_paste_code=
  635. api_paste_code=# Commonly blocked ports that you do not want logging as they tend to just fill
  636. api_paste_code=# up the log file. These ports are specifically blocked (applied to TCP and UDP
  637. api_paste_code=# protocols) for incoming connections
  638. api_paste_code=DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
  639. api_paste_code=
  640. api_paste_code=# Log packets dropped by the packet filtering option PACKET_FILTER
  641. api_paste_code=DROP_PF_LOGGING = "0"
  642. api_paste_code=
  643. api_paste_code=# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
  644. api_paste_code=# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
  645. api_paste_code=# addresses breaking the Connection Limit Protection will be blocked
  646. api_paste_code=CONNLIMIT_LOGGING = "0"
  647. api_paste_code=
  648. api_paste_code=# Enable logging of UDP floods. This should be enabled, especially with User ID
  649. api_paste_code=# Tracking enabled
  650. api_paste_code=UDPFLOOD_LOGGING = "1"
  651. api_paste_code=
  652. api_paste_code=# Send an alert if log file flooding is detected which causes lfd to skip log
  653. api_paste_code=# lines to prevent lfd from looping. If this alert is sent you should check the
  654. api_paste_code=# reported log file for the reason for the flooding
  655. api_paste_code=LOGFLOOD_ALERT = "0"
  656. api_paste_code=
  657. api_paste_code=###############################################################################
  658. api_paste_code=# SECTION:Reporting Settings
  659. api_paste_code=###############################################################################
  660. api_paste_code=# By default, lfd will send alert emails using the relevant alert template to
  661. api_paste_code=# the To: address configured within that template. Setting the following
  662. api_paste_code=# option will override the configured To: field in all lfd alert emails
  663. api_paste_code=#
  664. api_paste_code=# Leave this option empty to use the To: field setting in each alert template
  665. api_paste_code=LF_ALERT_TO = "admin@edu.ryukyu"
  666. api_paste_code=
  667. api_paste_code=# By default, lfd will send alert emails using the relevant alert template from
  668. api_paste_code=# the From: address configured within that template. Setting the following
  669. api_paste_code=# option will override the configured From: field in all lfd alert emails
  670. api_paste_code=#
  671. api_paste_code=# Leave this option empty to use the From: field setting in each alert template
  672. api_paste_code=LF_ALERT_FROM = "csf@localhost"
  673. api_paste_code=
  674. api_paste_code=# By default, lfd will send all alerts using the SENDMAIL binary. To send using
  675. api_paste_code=# SMTP directly, you can set the following to a relaying SMTP server, e.g.
  676. api_paste_code=# "127.0.0.1". Leave this setting blank to use SENDMAIL
  677. api_paste_code=LF_ALERT_SMTP = ""
  678. api_paste_code=
  679. api_paste_code=# Block Reporting. lfd can run an external script when it performs and IP
  680. api_paste_code=# address block following for example a login failure. The following setting
  681. api_paste_code=# is to the full path of the external script which must be executable. See
  682. api_paste_code=# readme.txt for format details
  683. api_paste_code=#
  684. api_paste_code=# Leave this setting blank to disable
  685. api_paste_code=BLOCK_REPORT = ""
  686. api_paste_code=
  687. api_paste_code=# To also run an external script when a temporary block is unblocked. The
  688. api_paste_code=# following setting can be the full path of the external script which must be
  689. api_paste_code=# executable. See readme.txt for format details
  690. api_paste_code=#
  691. api_paste_code=# Leave this setting blank to disable
  692. api_paste_code=UNBLOCK_REPORT = ""
  693. api_paste_code=
  694. api_paste_code=# In addition to the standard lfd email alerts, you can additionally enable the
  695. api_paste_code=# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only
  696. api_paste_code=# block alert messages will be sent. The reports use our schema at:
  697. api_paste_code=# https://download.configserver.com/abuse_login-attack_0.2.json
  698. api_paste_code=#
  699. api_paste_code=# These reports are in a format accepted by many Netblock owners and should
  700. api_paste_code=# help them investigate abuse. This option is not designed to automatically
  701. api_paste_code=# forward these reports to the Netblock owners and should be checked for
  702. api_paste_code=# false-positive blocks before reporting
  703. api_paste_code=#
  704. api_paste_code=# If available, the report will also include the abuse contact for the IP from
  705. api_paste_code=# the Abusix Contact DB: https://abusix.com/contactdb.html
  706. api_paste_code=#
  707. api_paste_code=# Note: The following block types are not reported through this feature:
  708. api_paste_code=# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
  709. api_paste_code=X_ARF = "0"
  710. api_paste_code=
  711. api_paste_code=# By default, lfd will send emails from the root forwarder. Setting the
  712. api_paste_code=# following option will override this
  713. api_paste_code=X_ARF_FROM = ""
  714. api_paste_code=
  715. api_paste_code=# By default, lfd will send emails to the root forwarder. Setting the following
  716. api_paste_code=# option will override this
  717. api_paste_code=X_ARF_TO = ""
  718. api_paste_code=
  719. api_paste_code=# If you want to automatically send reports to the abuse contact where found,
  720. api_paste_code=# you can enable the following option
  721. api_paste_code=#
  722. api_paste_code=# Note: You MUST set X_ARF_FROM to a valid email address for this option to
  723. api_paste_code=# work. This is so that the abuse contact can reply to the report
  724. api_paste_code=#
  725. api_paste_code=# However, you should be aware that without manual checking you could be
  726. api_paste_code=# reporting innocent IP addresses, including your own clients, yourself and
  727. api_paste_code=# your own servers
  728. api_paste_code=#
  729. api_paste_code=# Additionally, just because a contact address is found, does not mean that
  730. api_paste_code=# there is anyone on the end of it reading, processing or acting on such
  731. api_paste_code=# reports and you could conceivably reported for sending spam
  732. api_paste_code=#
  733. api_paste_code=# We do not recommend enabling this option. Abuse reports should be checked and
  734. api_paste_code=# verified before being forwarded to the abuse contact
  735. api_paste_code=X_ARF_ABUSE = "0"
  736. api_paste_code=
  737. api_paste_code=###############################################################################
  738. api_paste_code=# SECTION:Temp to Perm/Netblock Settings
  739. api_paste_code=###############################################################################
  740. api_paste_code=# Temporary to Permanent IP blocking. The following enables this feature to
  741. api_paste_code=# permanently block IP addresses that have been temporarily blocked more than
  742. api_paste_code=# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
  743. api_paste_code=# LF_PERMBLOCK  to "1" to enable this feature
  744. api_paste_code=#
  745. api_paste_code=# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
  746. api_paste_code=# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
  747. api_paste_code=# (TTL) for blocked IPs, to be effective
  748. api_paste_code=#
  749. api_paste_code=# Set LF_PERMBLOCK to "0" to disable this feature
  750. api_paste_code=LF_PERMBLOCK = "1"
  751. api_paste_code=LF_PERMBLOCK_INTERVAL = "86400"
  752. api_paste_code=LF_PERMBLOCK_COUNT = "4"
  753. api_paste_code=LF_PERMBLOCK_ALERT = "1"
  754. api_paste_code=
  755. api_paste_code=# Permanently block IPs by network class. The following enables this feature
  756. api_paste_code=# to permanently block classes of IP address where individual IP addresses
  757. api_paste_code=# within the same class LF_NETBLOCK_CLASS have already been blocked more than
  758. api_paste_code=# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
  759. api_paste_code=# LF_NETBLOCK  to "1" to enable this feature
  760. api_paste_code=#
  761. api_paste_code=# This can be an affective way of blocking DDOS attacks launched from within
  762. api_paste_code=# the same network class
  763. api_paste_code=#
  764. api_paste_code=# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
  765. api_paste_code=# consideration is required when blocking network classes A or B
  766. api_paste_code=#
  767. api_paste_code=# Set LF_NETBLOCK to "0" to disable this feature
  768. api_paste_code=LF_NETBLOCK = "0"
  769. api_paste_code=LF_NETBLOCK_INTERVAL = "86400"
  770. api_paste_code=LF_NETBLOCK_COUNT = "4"
  771. api_paste_code=LF_NETBLOCK_CLASS = "C"
  772. api_paste_code=LF_NETBLOCK_ALERT = "1"
  773. api_paste_code=
  774. api_paste_code=# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
  775. api_paste_code=# Great care should be taken with IPV6 netblock ranges due to the large number
  776. api_paste_code=# of addresses involved
  777. api_paste_code=#
  778. api_paste_code=# To disable IPv6 netblocks set to ""
  779. api_paste_code=LF_NETBLOCK_IPV6 = ""
  780. api_paste_code=
  781. api_paste_code=###############################################################################
  782. api_paste_code=# SECTION:Global Lists/DYNDNS/Blocklists
  783. api_paste_code=###############################################################################
  784. api_paste_code=# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
  785. api_paste_code=# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
  786. api_paste_code=# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
  787. api_paste_code=# chain, then flush and delete the old dynamic chain and rename the new chain.
  788. api_paste_code=#
  789. api_paste_code=# This prevents a small window of opportunity opening when an update occurs and
  790. api_paste_code=# the dynamic chain is flushed for the new rules.
  791. api_paste_code=#
  792. api_paste_code=# This option should not be enabled on servers with long dynamic chains (e.g.
  793. api_paste_code=# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
  794. api_paste_code=# Virtuozzo VPS servers with a restricted numiptent value. This is because each
  795. api_paste_code=# chain will effectively be duplicated while the update occurs, doubling the
  796. api_paste_code=# number of iptables rules
  797. api_paste_code=SAFECHAINUPDATE = "0"
  798. api_paste_code=
  799. api_paste_code=# If you wish to allow access from dynamic DNS records (for example if your IP
  800. api_paste_code=# address changes whenever you connect to the internet but you have a dedicated
  801. api_paste_code=# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
  802. api_paste_code=# records in csf.dyndns and then set the following to the number of seconds to
  803. api_paste_code=# poll for a change in the IP address. If the IP address has changed iptables
  804. api_paste_code=# will be updated.
  805. api_paste_code=#
  806. api_paste_code=# If the FQDN has multiple A records then all of the IP addresses will be
  807. api_paste_code=# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
  808. api_paste_code=# also be allowed.
  809. api_paste_code=#
  810. api_paste_code=# A setting of 600 would check for IP updates every 10 minutes. Set the value
  811. api_paste_code=# to 0 to disable the feature
  812. api_paste_code=DYNDNS = "0"
  813. api_paste_code=
  814. api_paste_code=# To always ignore DYNDNS IP addresses in lfd blocking, set the following
  815. api_paste_code=# option to 1
  816. api_paste_code=DYNDNS_IGNORE = "0"
  817. api_paste_code=
  818. api_paste_code=# The follow Global options allow you to specify a URL where csf can grab a
  819. api_paste_code=# centralised copy of an IP allow or deny block list of your own. You need to
  820. api_paste_code=# specify the full URL in the following options, i.e.:
  821. api_paste_code=# http://www.somelocation.com/allow.txt
  822. api_paste_code=#
  823. api_paste_code=# The actual retrieval of these IP's is controlled by lfd, so you need to set
  824. api_paste_code=# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
  825. api_paste_code=# will perform the retrieval when it runs and then again at the specified
  826. api_paste_code=# interval. A sensible interval would probably be every 3600 seconds (1 hour).
  827. api_paste_code=# A minimum value of 300 is enforced for LF_GLOBAL if enabled
  828. api_paste_code=#
  829. api_paste_code=# You do not have to specify both an allow and a deny file
  830. api_paste_code=#
  831. api_paste_code=# You can also configure a global ignore file for IP's that lfd should ignore
  832. api_paste_code=LF_GLOBAL = "0"
  833. api_paste_code=
  834. api_paste_code=GLOBAL_ALLOW = ""
  835. api_paste_code=GLOBAL_DENY = ""
  836. api_paste_code=GLOBAL_IGNORE = ""
  837. api_paste_code=
  838. api_paste_code=# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
  839. api_paste_code=# this to the URL of the file containing DYNDNS entries
  840. api_paste_code=GLOBAL_DYNDNS = ""
  841. api_paste_code=
  842. api_paste_code=# Set the following to the number of seconds to poll for a change in the IP
  843. api_paste_code=# address resoved from GLOBAL_DYNDNS
  844. api_paste_code=GLOBAL_DYNDNS_INTERVAL = "600"
  845. api_paste_code=
  846. api_paste_code=# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
  847. api_paste_code=# option to 1
  848. api_paste_code=GLOBAL_DYNDNS_IGNORE = "0"
  849. api_paste_code=
  850. api_paste_code=# Blocklists are controlled by modifying /etc/csf/csf.blocklists
  851. api_paste_code=#
  852. api_paste_code=# If you don't want BOGON rules applied to specific NICs, then list them in
  853. api_paste_code=# a comma separated list (e.g "eth1,eth2")
  854. api_paste_code=LF_BOGON_SKIP = ""
  855. api_paste_code=
  856. api_paste_code=# The following option can be used to select either HTTP::Tiny or
  857. api_paste_code=# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
  858. api_paste_code=# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
  859. api_paste_code=# have to be installed manually, but it can better support https:// URL's
  860. api_paste_code=# which also needs the LWP::Protocol::https perl module
  861. api_paste_code=#
  862. api_paste_code=# For example:
  863. api_paste_code=#
  864. api_paste_code=# On rpm based systems:
  865. api_paste_code=#
  866. api_paste_code=#   yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
  867. api_paste_code=#
  868. api_paste_code=# On APT based systems:
  869. api_paste_code=#
  870. api_paste_code=#   apt-get install libwww-perl liblwp-protocol-https-perl
  871. api_paste_code=#
  872. api_paste_code=# Via cpan:
  873. api_paste_code=#
  874. api_paste_code=#   perl -MCPAN -eshell
  875. api_paste_code=#   cpan> install LWP LWP::Protocol::https
  876. api_paste_code=#
  877. api_paste_code=# We recommend setting this set to "2" as upgrades to csf will be performed
  878. api_paste_code=# over SSL to https://download.configserver.com and
  879. api_paste_code=# https://download2.configserver.com
  880. api_paste_code=#
  881. api_paste_code=# "1" = HTTP::Tiny
  882. api_paste_code=# "2" = LWP::UserAgent
  883. api_paste_code=URLGET = "2"
  884. api_paste_code=
  885. api_paste_code=# If you need csf/lfd to use a proxy, then you can set this option to the URL
  886. api_paste_code=# of the proxy. The proxy provided will be used for both HTTP and HTTPS
  887. api_paste_code=# connections
  888. api_paste_code=URLPROXY = ""
  889. api_paste_code=
  890. api_paste_code=###############################################################################
  891. api_paste_code=# SECTION:Country Code Lists and Settings
  892. api_paste_code=###############################################################################
  893. api_paste_code=# Country Code to CIDR allow/deny. In the following two options you can allow
  894. api_paste_code=# or deny whole country CIDR ranges. The CIDR blocks are generated from the
  895. api_paste_code=# MaxMind GeoLite2 Country database at:
  896. api_paste_code=# https://dev.MaxMind.com/geoip/geoip2/geolite2/
  897. api_paste_code=# This feature relies entirely on that service being available
  898. api_paste_code=#
  899. api_paste_code=# Specify the the two-letter ISO Country Code(s). The iptables rules are for
  900. api_paste_code=# incoming connections only
  901. api_paste_code=#
  902. api_paste_code=# Additionally, ASN numbers can also be added to the comma separated lists
  903. api_paste_code=# below that also list Country Codes. The same WARNINGS for Country Codes apply
  904. api_paste_code=# to the use of ASNs. More about Autonomous System Numbers (ASN):
  905. api_paste_code=# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
  906. api_paste_code=# ASNs must be listed as ASnnnn (where nnnn is the ASN number)
  907. api_paste_code=#
  908. api_paste_code=# You should consider using LF_IPSET when using any of the following options
  909. api_paste_code=#
  910. api_paste_code=# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
  911. api_paste_code=# non-geographic IP address designations for their clients
  912. api_paste_code=#
  913. api_paste_code=# WARNING: Some of the CIDR lists are huge and each one requires a rule within
  914. api_paste_code=# the incoming iptables chain. This can result in significant performance
  915. api_paste_code=# overheads and could render the server inaccessible in some circumstances. For
  916. api_paste_code=# this reason (amongst others) we do not recommend using these options
  917. api_paste_code=#
  918. api_paste_code=# WARNING: Due to the resource constraints on VPS servers this feature should
  919. api_paste_code=# not be used on such systems unless you choose very small CC zones
  920. api_paste_code=#
  921. api_paste_code=# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
  922. api_paste_code=# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
  923. api_paste_code=# preferred
  924. api_paste_code=#
  925. api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  926. api_paste_code=CC_DENY = ""
  927. api_paste_code=CC_ALLOW = ""
  928. api_paste_code=
  929. api_paste_code=# An alternative to CC_ALLOW is to only allow access from the following
  930. api_paste_code=# countries but still filter based on the port and packets rules. All other
  931. api_paste_code=# connections are dropped
  932. api_paste_code=CC_ALLOW_FILTER = ""
  933. api_paste_code=
  934. api_paste_code=# This option allows access from the following countries to specific ports
  935. api_paste_code=# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
  936. api_paste_code=#
  937. api_paste_code=# Note: The rules for this feature are inserted after the allow and deny
  938. api_paste_code=# rules to still allow blocking of IP addresses
  939. api_paste_code=#
  940. api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  941. api_paste_code=CC_ALLOW_PORTS = ""
  942. api_paste_code=
  943. api_paste_code=# All listed ports should be removed from TCP_IN/UDP_IN to block access from
  944. api_paste_code=# elsewhere. This option uses the same format as TCP_IN/UDP_IN
  945. api_paste_code=#
  946. api_paste_code=# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
  947. api_paste_code=# then only counties listed in CC_ALLOW_PORTS can access FTP
  948. api_paste_code=CC_ALLOW_PORTS_TCP = ""
  949. api_paste_code=CC_ALLOW_PORTS_UDP = ""
  950. api_paste_code=
  951. api_paste_code=# This option denies access from the following countries to specific ports
  952. api_paste_code=# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
  953. api_paste_code=#
  954. api_paste_code=# Note: The rules for this feature are inserted after the allow and deny
  955. api_paste_code=# rules to still allow allowing of IP addresses
  956. api_paste_code=#
  957. api_paste_code=# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  958. api_paste_code=CC_DENY_PORTS = ""
  959. api_paste_code=
  960. api_paste_code=# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
  961. api_paste_code=# NOT be removed from TCP_IN/UDP_IN
  962. api_paste_code=#
  963. api_paste_code=# An example would be to list port 21 here then counties listed in
  964. api_paste_code=# CC_DENY_PORTS cannot access FTP
  965. api_paste_code=CC_DENY_PORTS_TCP = ""
  966. api_paste_code=CC_DENY_PORTS_UDP = ""
  967. api_paste_code=
  968. api_paste_code=# This Country Code list will prevent lfd from blocking IP address hits for the
  969. api_paste_code=# listed CC's
  970. api_paste_code=#
  971. api_paste_code=# CC_LOOKUPS must be enabled to use this option
  972. api_paste_code=CC_IGNORE = ""
  973. api_paste_code=
  974. api_paste_code=# This Country Code list will only allow SMTP AUTH to be advertised to the
  975. api_paste_code=# listed countries in EXIM. This is to help limit attempts at distributed
  976. api_paste_code=# attacks against SMTP AUTH which are difficult to achive since port 25 needs
  977. api_paste_code=# to be open to relay email
  978. api_paste_code=#
  979. api_paste_code=# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
  980. api_paste_code=# connection, then SMTP AUTH will not accept logins, defeating the attacks
  981. api_paste_code=# without restricting mail relaying
  982. api_paste_code=#
  983. api_paste_code=# This option can generate a very large list of IP addresses that could easily
  984. api_paste_code=# severely impact on SMTP (mail) performance, so care must be taken when
  985. api_paste_code=# selecting countries and if performance issues ensue
  986. api_paste_code=#
  987. api_paste_code=# The option SMTPAUTH_RESTRICT must be enabled to use this option
  988. api_paste_code=CC_ALLOW_SMTPAUTH = ""
  989. api_paste_code=
  990. api_paste_code=# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
  991. api_paste_code=# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
  992. api_paste_code=# help reduce the number of CC entries and may improve iptables throughput.
  993. api_paste_code=# Obviously, this will deny/allow fewer IP addresses depending on how small you
  994. api_paste_code=# configure the option
  995. api_paste_code=#
  996. api_paste_code=# For example, to ignore all CIDR (and single IP) entries small than a /16, set
  997. api_paste_code=# this option to "16". Set to "" to block all CC IP addresses
  998. api_paste_code=CC_DROP_CIDR = ""
  999. api_paste_code=
  1000. api_paste_code=# Display Country Code and Country for reported IP addresses. This option can
  1001. api_paste_code=# be configured to use the MaxMind Country Database or the more detailed (and
  1002. api_paste_code=# much larger and therefore slower) MaxMind City Database. An additional option
  1003. api_paste_code=# is also available if you cannot use the MaxMind databases
  1004. api_paste_code=#
  1005. api_paste_code=# "0" - disable
  1006. api_paste_code=# "1" - Reports: Country Code and Country
  1007. api_paste_code=# "2" - Reports: Country Code and Country and Region and City
  1008. api_paste_code=# "3" - Reports: Country Code and Country and Region and City and ASN
  1009. api_paste_code=# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
  1010. api_paste_code=#
  1011. api_paste_code=# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
  1012. api_paste_code=# uses a URL-based lookup from a third-party provider at https://freegeoip.net
  1013. api_paste_code=# and so avoids having to download and process the large databases. Please
  1014. api_paste_code=# visit the https://freegeoip.net and read their limitations and respect that
  1015. api_paste_code=# this option will either cease to function or be removed by us if that site is
  1016. api_paste_code=# abused or overloaded. ONLY use this option if you have difficulties using the
  1017. api_paste_code=# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
  1018. api_paste_code=# CC_* options above, which will continue to use the MaxMind databases
  1019. api_paste_code=#
  1020. api_paste_code=CC_LOOKUPS = "1"
  1021. api_paste_code=
  1022. api_paste_code=# Display Country Code and Country for reported IPv6 addresses using the
  1023. api_paste_code=# MaxMind Country IPv6 Database
  1024. api_paste_code=#
  1025. api_paste_code=# "0" - disable
  1026. api_paste_code=# "1" - enable and report the detail level as specified in CC_LOOKUPS
  1027. api_paste_code=#
  1028. api_paste_code=# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
  1029. api_paste_code=# PORTFLOOD
  1030. api_paste_code=CC6_LOOKUPS = "0"
  1031. api_paste_code=
  1032. api_paste_code=# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
  1033. api_paste_code=# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
  1034. api_paste_code=# days)
  1035. api_paste_code=CC_INTERVAL = "14"
  1036. api_paste_code=
  1037. api_paste_code=###############################################################################
  1038. api_paste_code=# SECTION:Login Failure Blocking and Alerts
  1039. api_paste_code=###############################################################################
  1040. api_paste_code=# The following[*] triggers are application specific. If you set LF_TRIGGER to
  1041. api_paste_code=# "0" the value of each trigger is the number of failures against that
  1042. api_paste_code=# application that will trigger lfd to block the IP address
  1043. api_paste_code=#
  1044. api_paste_code=# If you set LF_TRIGGER to a value greater than "0" then the following[*]
  1045. api_paste_code=# application triggers are simply on or off ("0" or "1") and the value of
  1046. api_paste_code=# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
  1047. api_paste_code=# to block the IP address
  1048. api_paste_code=#
  1049. api_paste_code=# Setting the application trigger to "0" disables it
  1050. api_paste_code=LF_TRIGGER = "0"
  1051. api_paste_code=
  1052. api_paste_code=# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
  1053. api_paste_code=# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
  1054. api_paste_code=# "1" and the IP address will be blocked temporarily for that value in seconds.
  1055. api_paste_code=# For example:
  1056. api_paste_code=# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
  1057. api_paste_code=# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
  1058. api_paste_code=#
  1059. api_paste_code=# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
  1060. api_paste_code=# in the same way as above and LF_TRIGGER_PERM serves no function
  1061. api_paste_code=LF_TRIGGER_PERM = "1"
  1062. api_paste_code=
  1063. api_paste_code=# To only block access to the failed application instead of a complete block
  1064. api_paste_code=# for an ip address, you can set the following to "1", but LF_TRIGGER must be
  1065. api_paste_code=# set to "0" with specific application[*] trigger levels also set appropriately
  1066. api_paste_code=#
  1067. api_paste_code=# The ports that are blocked can be configured by changing the PORTS_* options
  1068. api_paste_code=LF_SELECT = "0"
  1069. api_paste_code=
  1070. api_paste_code=# Send an email alert if an IP address is blocked by one of the [*] triggers
  1071. api_paste_code=LF_EMAIL_ALERT = "1"
  1072. api_paste_code=
  1073. api_paste_code=# [*]Enable login failure detection of sshd connections
  1074. api_paste_code=#
  1075. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1076. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1077. api_paste_code=LF_SSHD = "5"
  1078. api_paste_code=LF_SSHD_PERM = "1"
  1079. api_paste_code=
  1080. api_paste_code=# [*]Enable login failure detection of ftp connections
  1081. api_paste_code=#
  1082. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1083. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1084. api_paste_code=LF_FTPD = "10"
  1085. api_paste_code=LF_FTPD_PERM = "1"
  1086. api_paste_code=
  1087. api_paste_code=# [*]Enable login failure detection of SMTP AUTH connections
  1088. api_paste_code=LF_SMTPAUTH = "5"
  1089. api_paste_code=LF_SMTPAUTH_PERM = "1"
  1090. api_paste_code=
  1091. api_paste_code=# [*]Enable syntax failure detection of Exim connections
  1092. api_paste_code=LF_EXIMSYNTAX = "10"
  1093. api_paste_code=LF_EXIMSYNTAX_PERM = "1"
  1094. api_paste_code=
  1095. api_paste_code=# [*]Enable login failure detection of pop3 connections
  1096. api_paste_code=#
  1097. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1098. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1099. api_paste_code=LF_POP3D = "0"
  1100. api_paste_code=LF_POP3D_PERM = "1"
  1101. api_paste_code=
  1102. api_paste_code=# [*]Enable login failure detection of imap connections
  1103. api_paste_code=#
  1104. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1105. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1106. api_paste_code=LF_IMAPD = "0"
  1107. api_paste_code=LF_IMAPD_PERM = "1"
  1108. api_paste_code=
  1109. api_paste_code=# [*]Enable login failure detection of Apache .htpasswd connections
  1110. api_paste_code=# Due to the often high logging rate in the Apache error log, you might want to
  1111. api_paste_code=# enable this option only if you know you are suffering from attacks against
  1112. api_paste_code=# password protected directories
  1113. api_paste_code=LF_HTACCESS = "5"
  1114. api_paste_code=LF_HTACCESS_PERM = "1"
  1115. api_paste_code=
  1116. api_paste_code=# [*]Enable failure detection of repeated Apache mod_security rule triggers
  1117. api_paste_code=LF_MODSEC = "5"
  1118. api_paste_code=LF_MODSEC_PERM = "1"
  1119. api_paste_code=
  1120. api_paste_code=# [*]Enable login failure detection of VestaCP connections
  1121. api_paste_code=LF_VESTA = "5"
  1122. api_paste_code=LF_VESTA_PERM = "1"
  1123. api_paste_code=
  1124. api_paste_code=# [*]Enable detection of repeated BIND denied requests
  1125. api_paste_code=# This option should be enabled with care as it will prevent blocked IPs from
  1126. api_paste_code=# resolving any domains on the server. You might want to set the trigger value
  1127. api_paste_code=# reasonably high to avoid this
  1128. api_paste_code=# Example: LF_BIND = "100"
  1129. api_paste_code=LF_BIND = "0"
  1130. api_paste_code=LF_BIND_PERM = "1"
  1131. api_paste_code=
  1132. api_paste_code=# [*]Enable detection of repeated suhosin ALERTs
  1133. api_paste_code=# Example: LF_SUHOSIN = "5"
  1134. api_paste_code=#
  1135. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1136. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1137. api_paste_code=LF_SUHOSIN = "0"
  1138. api_paste_code=LF_SUHOSIN_PERM = "1"
  1139. api_paste_code=
  1140. api_paste_code=# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
  1141. api_paste_code=# This option will block IP addresses if cxs detects a hits from the
  1142. api_paste_code=# ModSecurity rule associated with it
  1143. api_paste_code=#
  1144. api_paste_code=# Note: This option takes precedence over LF_MODSEC and removes any hits
  1145. api_paste_code=# counted towards LF_MODSEC for the cxs rule
  1146. api_paste_code=#
  1147. api_paste_code=# This setting should probably set very low, perhaps to 1, if you want to
  1148. api_paste_code=# effectively block IP addresses for this trigger option
  1149. api_paste_code=LF_CXS = "0"
  1150. api_paste_code=LF_CXS_PERM = "1"
  1151. api_paste_code=
  1152. api_paste_code=# [*]Enable detection of repeated Apache mod_qos rule triggers
  1153. api_paste_code=LF_QOS = "0"
  1154. api_paste_code=LF_QOS_PERM = "1"
  1155. api_paste_code=
  1156. api_paste_code=# [*]Enable detection of repeated Apache symlink race condition triggers from
  1157. api_paste_code=# the Apache patch provided by:
  1158. api_paste_code=# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
  1159. api_paste_code=# This patch has also been included by cPanel via the easyapache option:
  1160. api_paste_code=# "Symlink Race Condition Protection"
  1161. api_paste_code=LF_SYMLINK = "0"
  1162. api_paste_code=LF_SYMLINK_PERM = "1"
  1163. api_paste_code=
  1164. api_paste_code=# [*]Enable login failure detection of webmin connections
  1165. api_paste_code=#
  1166. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1167. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1168. api_paste_code=LF_WEBMIN = "0"
  1169. api_paste_code=LF_WEBMIN_PERM = "1"
  1170. api_paste_code=
  1171. api_paste_code=# Send an email alert if anyone logs in successfully using SSH
  1172. api_paste_code=#
  1173. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1174. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1175. api_paste_code=LF_SSH_EMAIL_ALERT = "1"
  1176. api_paste_code=
  1177. api_paste_code=# Send an email alert if anyone uses su to access another account. This will
  1178. api_paste_code=# send an email alert whether the attempt to use su was successful or not
  1179. api_paste_code=#
  1180. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1181. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1182. api_paste_code=LF_SU_EMAIL_ALERT = "1"
  1183. api_paste_code=
  1184. api_paste_code=# Send an email alert if anyone accesses webmin
  1185. api_paste_code=#
  1186. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1187. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1188. api_paste_code=LF_WEBMIN_EMAIL_ALERT = "1"
  1189. api_paste_code=
  1190. api_paste_code=# Send an email alert if anyone logs in successfully to root on the console
  1191. api_paste_code=#
  1192. api_paste_code=# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1193. api_paste_code=# this file about RESTRICT_SYSLOG before enabling this option:
  1194. api_paste_code=LF_CONSOLE_EMAIL_ALERT = "1"
  1195. api_paste_code=
  1196. api_paste_code=# This option will keep track of the number of "File does not exist" errors in
  1197. api_paste_code=# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
  1198. api_paste_code=# seconds then the IP address will be blocked
  1199. api_paste_code=#
  1200. api_paste_code=# Care should be used with this option as it could generate many
  1201. api_paste_code=# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
  1202. api_paste_code=# so only use this option if you know you are under this type of attack
  1203. api_paste_code=#
  1204. api_paste_code=# A sensible setting for this would be quite high, perhaps 200
  1205. api_paste_code=#
  1206. api_paste_code=# To disable set to "0"
  1207. api_paste_code=LF_APACHE_404 = "0"
  1208. api_paste_code=
  1209. api_paste_code=# If this option is set to 1 the blocks will be permanent
  1210. api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
  1211. api_paste_code=# of seconds
  1212. api_paste_code=LF_APACHE_404_PERM = "3600"
  1213. api_paste_code=
  1214. api_paste_code=# This option will keep track of the number of "client denied by server
  1215. api_paste_code=# configuration" errors in HTACCESS_LOG. If the number of hits is more than
  1216. api_paste_code=# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
  1217. api_paste_code=#
  1218. api_paste_code=# Care should be used with this option as it could generate many
  1219. api_paste_code=# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
  1220. api_paste_code=# so only use this option if you know you are under this type of attack
  1221. api_paste_code=#
  1222. api_paste_code=# A sensible setting for this would be quite high, perhaps 200
  1223. api_paste_code=#
  1224. api_paste_code=# To disable set to "0"
  1225. api_paste_code=LF_APACHE_403 = "0"
  1226. api_paste_code=
  1227. api_paste_code=# If this option is set to 1 the blocks will be permanent
  1228. api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
  1229. api_paste_code=# of seconds
  1230. api_paste_code=LF_APACHE_403_PERM = "3600"
  1231. api_paste_code=
  1232. api_paste_code=# This option will keep track of the number of 401 failures in HTACCESS_LOG.
  1233. api_paste_code=# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
  1234. api_paste_code=# the IP address will be blocked
  1235. api_paste_code=#
  1236. api_paste_code=# To disable set to "0"
  1237. api_paste_code=LF_APACHE_401 = "0"
  1238. api_paste_code=
  1239. api_paste_code=# This option is used to determine if the Apache error_log format contains the
  1240. api_paste_code=# client port after the client IP. In Apache prior to v2.4, this was not the
  1241. api_paste_code=# case. In Apache v2.4  the error_log format can be configured using
  1242. api_paste_code=# ErrorLogFormat, making the port directive optional
  1243. api_paste_code=#
  1244. api_paste_code=# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
  1245. api_paste_code=# to the client IP by default. This makes determining client IPv6 addresses
  1246. api_paste_code=# difficult unless we know whether the port is being appended or not
  1247. api_paste_code=#
  1248. api_paste_code=# lfd will attempt to autodetect the correct value if this option is set to "0"
  1249. api_paste_code=# from the httpd binary found in common locations. If it fails to find a binary
  1250. api_paste_code=# it will be set to "2", unless specified here
  1251. api_paste_code=#
  1252. api_paste_code=# The value can be set here explicitly if the autodetection does not work:
  1253. api_paste_code=# 0 - autodetect
  1254. api_paste_code=# 1 - no port directive after client IP
  1255. api_paste_code=# 2 - port directive after client IP
  1256. api_paste_code=LF_APACHE_ERRPORT = "0"
  1257. api_paste_code=
  1258. api_paste_code=# If this option is set to 1 the blocks will be permanent
  1259. api_paste_code=# If this option is > 1, the blocks will be temporary for the specified number
  1260. api_paste_code=# of seconds
  1261. api_paste_code=LF_APACHE_401_PERM = "3600"
  1262. api_paste_code=
  1263. api_paste_code=# This option will send an alert if the ModSecurity IP persistent storage grows
  1264. api_paste_code=# excessively large: https://goo.gl/rGh5sF
  1265. api_paste_code=#
  1266. api_paste_code=# More information on cPanel servers here: https://goo.gl/vo6xTE
  1267. api_paste_code=#
  1268. api_paste_code=# LF_MODSECIPDB_FILE must be set to the correct location of the database file
  1269. api_paste_code=#
  1270. api_paste_code=# The check is performed at lfd startup and then once per hour, the template
  1271. api_paste_code=# used is modsecipdbalert.txt
  1272. api_paste_code=#
  1273. api_paste_code=# Set to "0" to disable this option, otherwise it is the threshold size of the
  1274. api_paste_code=# file to report in gigabytes, e.g. set to 5 for 5GB
  1275. api_paste_code=LF_MODSECIPDB_ALERT = "0"
  1276. api_paste_code=
  1277. api_paste_code=# This is the location of the persistent IP storage file on the server, e.g.:
  1278. api_paste_code=# /var/run/modsecurity/data/ip.pag
  1279. api_paste_code=# /var/cpanel/secdatadir/ip.pag
  1280. api_paste_code=# /var/cache/modsecurity/ip.pag
  1281. api_paste_code=# /usr/local/apache/conf/modsec/data/msa/ip.pag
  1282. api_paste_code=# /var/tmp/ip.pag
  1283. api_paste_code=# /tmp/ip.pag
  1284. api_paste_code=LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
  1285. api_paste_code=
  1286. api_paste_code=# System Exploit Checking. This option is designed to perform a series of tests
  1287. api_paste_code=# to send an alert in case a possible server compromise is detected
  1288. api_paste_code=#
  1289. api_paste_code=# To enable this feature set the following to the checking interval in seconds
  1290. api_paste_code=# (a value of 300 would seem sensible).
  1291. api_paste_code=#
  1292. api_paste_code=# To disable set to "0"
  1293. api_paste_code=LF_EXPLOIT = "300"
  1294. api_paste_code=
  1295. api_paste_code=# This comma separated list allows you to ignore tests LF_EXPLOIT performs
  1296. api_paste_code=#
  1297. api_paste_code=# For the SUPERUSER check, you can list usernames in csf.suignore to have them
  1298. api_paste_code=# ignored for that test
  1299. api_paste_code=#
  1300. api_paste_code=# Valid tests are:
  1301. api_paste_code=# SUPERUSER
  1302. api_paste_code=#
  1303. api_paste_code=# If you want to ignore a test add it to this as a comma separated list, e.g.
  1304. api_paste_code=# "SUPERUSER"
  1305. api_paste_code=LF_EXPLOIT_IGNORE = ""
  1306. api_paste_code=
  1307. api_paste_code=# Set the time interval to track login and other LF_ failures within (seconds),
  1308. api_paste_code=# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
  1309. api_paste_code=LF_INTERVAL = "3600"
  1310. api_paste_code=
  1311. api_paste_code=# This is how long the lfd process sleeps (in seconds) before processing the
  1312. api_paste_code=# log file entries and checking whether other events need to be triggered
  1313. api_paste_code=LF_PARSE = "5"
  1314. api_paste_code=
  1315. api_paste_code=# This is the interval that is used to flush reports of usernames, files and
  1316. api_paste_code=# pids so that persistent problems continue to be reported, in seconds.
  1317. api_paste_code=# A value of 3600 seems sensible
  1318. api_paste_code=LF_FLUSH = "3600"
  1319. api_paste_code=
  1320. api_paste_code=# Under some circumstances iptables can fail to include a rule instruction,
  1321. api_paste_code=# especially if more than one request is made concurrently. In this event, a
  1322. api_paste_code=# permanent block entry may exist in csf.deny, but not in iptables.
  1323. api_paste_code=#
  1324. api_paste_code=# This option instructs csf to deny an already blocked IP address the number
  1325. api_paste_code=# of times set. The downside, is that there will be multiple entries for an IP
  1326. api_paste_code=# address in csf.deny and possibly multiple rules for the same IP address in
  1327. api_paste_code=# iptables. This needs to be taken into consideration when unblocking such IP
  1328. api_paste_code=# addresses.
  1329. api_paste_code=#
  1330. api_paste_code=# Set to "0" to disable this feature. Do not set this too high for the reasons
  1331. api_paste_code=# detailed above (e.g. "5" should be more than enough)
  1332. api_paste_code=LF_REPEATBLOCK = "0"
  1333. api_paste_code=
  1334. api_paste_code=# By default csf will create both an inbound and outbound blocks from/to an IP
  1335. api_paste_code=# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
  1336. api_paste_code=# effective way to block IP traffic. This option instructs csf to only block
  1337. api_paste_code=# inbound traffic from those IP's and so reduces the number of iptables rules,
  1338. api_paste_code=# but at the expense of less effectiveness. For this reason we recommend
  1339. api_paste_code=# leaving this option disabled
  1340. api_paste_code=#
  1341. api_paste_code=# Set to "0" to disable this feature - the default
  1342. api_paste_code=LF_BLOCKINONLY = "0"
  1343. api_paste_code=
  1344. api_paste_code=###############################################################################
  1345. api_paste_code=# SECTION:CloudFlare
  1346. api_paste_code=###############################################################################
  1347. api_paste_code=# This features provides interaction with the CloudFlare Firewall
  1348. api_paste_code=#
  1349. api_paste_code=# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
  1350. api_paste_code=# iptables is concerned) come from the CloudFlare IP's. To counter this, an
  1351. api_paste_code=# Apache module (mod_cloudflare) is available that obtains the true attackers
  1352. api_paste_code=# IP from a custom HTTP header record (similar functionality is available
  1353. api_paste_code=# for other HTTP daemons
  1354. api_paste_code=#
  1355. api_paste_code=# However, despite now knowing the true attacking IP address, iptables cannot
  1356. api_paste_code=# be used to block that IP as the traffic is still coming from the CloudFlare
  1357. api_paste_code=# servers
  1358. api_paste_code=#
  1359. api_paste_code=# CloudFlare have provided a Firewall feature within the user account where
  1360. api_paste_code=# rules can be added to block, challenge or whitelist IP addresses
  1361. api_paste_code=#
  1362. api_paste_code=# Using the CloudFlare API, this feature adds and removes attacking IPs from
  1363. api_paste_code=# that firewall and provides CLI (and via the UI) additional commands
  1364. api_paste_code=#
  1365. api_paste_code=# See /etc/csf/readme.txt for more information about this feature and the
  1366. api_paste_code=# restrictions for its use BEFORE enabling this feature
  1367. api_paste_code=CF_ENABLE = "0"
  1368. api_paste_code=
  1369. api_paste_code=# This can be set to either "block" or "challenge" (see CloudFlare docs)
  1370. api_paste_code=CF_BLOCK = "block"
  1371. api_paste_code=
  1372. api_paste_code=# This setting determines how long the temporary block will apply within csf
  1373. api_paste_code=# and CloudFlare, keeping them in sync
  1374. api_paste_code=#
  1375. api_paste_code=# Block duration in seconds - overrides perm block or time of individual blocks
  1376. api_paste_code=# in lfd for block triggers
  1377. api_paste_code=CF_TEMP = "3600"
  1378. api_paste_code=
  1379. api_paste_code=###############################################################################
  1380. api_paste_code=# SECTION:Directory Watching
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top