SHARE
TWEET

Untitled

a guest Jan 28th, 2016 86 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###############################################################################
  2. # SECTION:Initial Settings
  3. ###############################################################################
  4. # Testing flag - enables a CRON job that clears iptables incase of
  5. # configuration problems when you start csf. This should be enabled until you
  6. # are sure that the firewall works - i.e. incase you get locked out of your
  7. # server! Then do remember to set it to 0 and restart csf when you're sure
  8. # everything is OK. Stopping csf will remove the line from /etc/crontab
  9. #
  10. # lfd will not start while this is enabled
  11. TESTING = "0"
  12.  
  13. # The interval for the crontab in minutes. Since this uses the system clock the
  14. # CRON job will run at the interval past the hour and not from when you issue
  15. # the start command. Therefore an interval of 5 minutes means the firewall
  16. # will be cleared in 0-5 minutes from the firewall start
  17. TESTING_INTERVAL = "5"
  18.  
  19. # SECURITY WARNING
  20. # ================
  21. #
  22. # Unfortunately, syslog and rsyslog allow end-users to log messages to some
  23. # system logs via the same unix socket that other local services use. This
  24. # means that any log line shown in these system logs that syslog or rsyslog
  25. # maintain can be spoofed (they are exactly the same as real log lines).
  26. #
  27. # Since some of the features of lfd rely on such log lines, spoofed messages
  28. # can cause false-positive matches which can lead to confusion at best, or
  29. # blocking of any innocent IP address or making the server inaccessible at
  30. # worst.
  31. #
  32. # Any option that relies on the log entries in the files listed in
  33. # /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
  34. # vulnerable to exploitation by end-users and scripts run by end-users.
  35. #
  36. # NOTE: Not all log files are affected as they may not use syslog/rsyslog
  37. #
  38. # The option RESTRICT_SYSLOG disables all these features that rely on affected
  39. # logs. These options are:
  40. # LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
  41. # LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
  42. # LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
  43. # PORTKNOCKING_ALERT
  44. #
  45. # This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
  46. # ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
  47. #
  48. # The following options are still enabled by default on new installations so
  49. # that, on balance, csf/lfd still provides expected levels of security:
  50. # LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
  51. #
  52. # If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
  53. # above, it should be done with the knowledge that any of the those options
  54. # that are enabled could be triggered by spoofed log lines and lead to the
  55. # server being inaccessible in the worst case. If you do not want to take that
  56. # risk you should set RESTRICT_SYSLOG to "1" and those features will not work
  57. # but you will not be protected from the exploits that they normally help block
  58. #
  59. # The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
  60. # the syslog/rsyslog unix socket.
  61. #
  62. # For further advice on how to help mitigate these issues, see
  63. # /etc/csf/readme.txt
  64. #
  65. # 0 = Allow those options listed above to be used and configured
  66. # 1 = Disable all the options listed above and prevent them from being used
  67. # 2 = Disable only alerts about this feature and do nothing else
  68. # 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
  69. RESTRICT_SYSLOG = "0"
  70.  
  71. # The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
  72. # write access to the syslog/rsyslog unix socket(s). The group must not already
  73. # exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
  74. # to a unique name for the server
  75. #
  76. # You can add users to this group by changing /etc/csf/csf.syslogusers and then
  77. # restarting lfd afterwards. This will create the system group and add the
  78. # users from csf.syslogusers if they exist to that group and will change the
  79. # permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
  80. # monitored and the permissions re-applied should syslog/rsyslog be restarted
  81. #
  82. # Using this option will prevent some legitimate logging, e.g. end-user cron
  83. # job logs
  84. #
  85. # If you want to revert RESTRICT_SYSLOG to another option and disable this
  86. # feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
  87. # syslog/rsyslog and the unix sockets will be reset
  88. RESTRICT_SYSLOG_GROUP = "mysyslog"
  89.  
  90. # This options restricts the ability to modify settings within this file from
  91. # the csf UI. Should the parent control panel be compromised, these restricted
  92. # options could be used to further compromise the server. For this reason we
  93. # recommend leaving this option set to at least "1" and if any of the
  94. # restricted items need to be changed, they are done so from the root shell
  95. #
  96. # 0 = Unrestricted UI
  97. # 1 = Restricted UI
  98. # 2 = Disabled UI
  99. RESTRICT_UI = "1"
  100.  
  101. # Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
  102. # runs once per day to see if there is an update to csf+lfd and upgrades if
  103. # available and restarts csf and lfd
  104. #
  105. # You should check for new version announcements at http://blog.configserver.com
  106. AUTO_UPDATES = "1"
  107.  
  108. ###############################################################################
  109. # SECTION:IPv4 Port Settings
  110. ###############################################################################
  111. # Lists of ports in the following comma separated lists can be added using a
  112. # colon (e.g. 30000:35000).
  113.  
  114. # Some kernel/iptables setups do not perform stateful connection tracking
  115. # correctly (typically some virtual servers or custom compiled kernels), so a
  116. # SPI firewall will not function correctly. If this happens, LF_SPI can be set
  117. # to 0 to reconfigure csf as a static firewall.
  118. #
  119. # As connection tracking will not be configured, applications that rely on it
  120. # will not function unless all outgoing ports are opened. Therefore, all
  121. # outgoing connections will be allowed once all other tests have completed. So
  122. # TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
  123. #
  124. # If you allow incoming DNS lookups you may need to use the following
  125. # directive in the options{} section of your named.conf:
  126. #
  127. #        query-source port 53;
  128. #
  129. # This will force incoming DNS traffic only through port 53
  130. #
  131. # Disabling this option will break firewall functionality that relies on
  132. # stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
  133. # less secure
  134. #
  135. # This option should be set to "1" in all other circumstances
  136. LF_SPI = "1"
  137.  
  138. # Allow incoming TCP ports
  139. TCP_IN = "20,3306"
  140.  
  141. # Allow outgoing TCP ports
  142. TCP_OUT = "22,3306"
  143.  
  144. # Allow incoming UDP ports
  145. UDP_IN = "7777"
  146.  
  147. # Allow outgoing UDP ports
  148. # To allow outgoing traceroute add 33434:33523 to this list
  149. UDP_OUT = "7777"
  150.  
  151. # Allow incoming PING
  152. ICMP_IN = "0"
  153.  
  154. # Set the per IP address incoming ICMP packet rate
  155. # To disable rate limiting set to "0"
  156. ICMP_IN_RATE = "1/s"
  157.  
  158. # Allow outgoing PING
  159. ICMP_OUT = "1"
  160.  
  161. # Set the per IP address outgoing ICMP packet rate (hits per second allowed),
  162. # e.g. "1/s"
  163. # To disable rate limiting set to "0"
  164. ICMP_OUT_RATE = "0"
  165.  
  166. ###############################################################################
  167. # SECTION:IPv6 Port Settings
  168. ###############################################################################
  169. # IPv6: (Requires ip6tables)
  170. #
  171. # Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
  172. # firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
  173. #
  174. # Supported:
  175. # Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
  176. # PACKET_FILTER, WATCH_MODE, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*,
  177. # CC6_LOOKUPS, SYNFLOOD, LF_NETBLOCK
  178. #
  179. # Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
  180. # CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
  181. # CC_ALLOW_SMTPAUTH
  182. #
  183. # Supported if ip6tables >= 1.4.3:
  184. # PORTFLOOD, CONNLIMIT
  185. #
  186. # Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
  187. # installed:
  188. # MESSENGER
  189. #
  190. # Not supported:
  191. # ICMP_IN, ICMP_OUT
  192. #
  193. IPV6 = "1"
  194.  
  195. # IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
  196. # traffic in the INPUT and OUTPUT chains. However, this could increase the risk
  197. # of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
  198. # connection types
  199. IPV6_ICMP_STRICT = "0"
  200.  
  201. # Pre v2.6.20 kernel must set this option to "0" as no working state module is
  202. # present, so a static firewall is configured as a fallback
  203. #
  204. # A workaround has been added for CentOS/RedHat v5 and custom kernels that do
  205. # not support IPv6 connection tracking by opening ephemeral port range
  206. # 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
  207. # same workaround implemented by RedHat in the sample default IPv6 rules
  208. #
  209. # As connection tracking will not be configured, applications that rely on it
  210. # will not function unless all outgoing ports are opened. Therefore, all
  211. # outgoing connections will be allowed once all other tests have completed. So
  212. # TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
  213. #
  214. # If you allow incoming ipv6 DNS lookups you may need to use the following
  215. # directive in the options{} section of your named.conf:
  216. #
  217. #        query-source-v6 port 53;
  218. #
  219. # This will force ipv6 incoming DNS traffic only through port 53
  220. #
  221. # These changes are not necessary if the SPI firewall is used
  222. IPV6_SPI = "1"
  223.  
  224. # Allow incoming IPv6 TCP ports
  225. TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"
  226.  
  227. # Allow outgoing TCP ports
  228. TCP6_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"
  229.  
  230. # Allow incoming UDP ports
  231. UDP6_IN = "20,21,53"
  232.  
  233. # Allow outgoing UDP ports
  234. # To allow outgoing traceroute add 33434:33523 to this list
  235. UDP6_OUT = "20,21,53,113,123"
  236.  
  237. ###############################################################################
  238. # SECTION:General Settings
  239. ###############################################################################
  240. # By default, csf will auto-configure iptables to filter all traffic except on
  241. # the loopback device. If you only want iptables rules applied to a specific
  242. # NIC, then list it here (e.g. eth1, or eth+)
  243. ETH_DEVICE = ""
  244.  
  245. # By adding a device to this option, ip6tables can be configured only on the
  246. # specified device. Otherwise, ETH_DEVICE and then the default setting will be
  247. # used
  248. ETH6_DEVICE = ""
  249.  
  250. # If you don't want iptables rules applied to specific NICs, then list them in
  251. # a comma separated list (e.g "eth1,eth2")
  252. ETH_DEVICE_SKIP = ""
  253.  
  254. # To switch from the deprecated iptables "state" module to the "conntrack"
  255. # module, change this to 1
  256. USE_CONNTRACK = "0"
  257.  
  258. # Check whether syslog is running. Many of the lfd checks require syslog to be
  259. # running correctly. This test will send a coded message to syslog every
  260. # SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
  261. # message. If it fails to do so within SYSLOG_CHECK seconds an alert using
  262. # syslogalert.txt is sent
  263. #
  264. # A value of betwen 300 and 3600 seconds is suggested. Set to 0 to disable
  265. SYSLOG_CHECK = "0"
  266.  
  267. # Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
  268. # listed in csf.allow in addition to csf.ignore (the default). This option
  269. # should be used with caution as it would mean that IP's allowed through the
  270. # firewall from infected PC's could launch attacks on the server that lfd
  271. # would ignore
  272. IGNORE_ALLOW = "0"
  273.  
  274. # Enable the following option if you want to apply strict iptables rules to DNS
  275. # traffic (i.e. relying on iptables connection tracking). Enabling this option
  276. # could cause DNS resolution issues both to and from the server but could help
  277. # prevent abuse of the local DNS server
  278. DNS_STRICT = "0"
  279.  
  280. # Enable the following option if you want to apply strict iptables rules to DNS
  281. # traffic between the server and the nameservers listed in /etc/resolv.conf
  282. # Enabling this option could cause DNS resolution issues both to and from the
  283. # server but could help prevent abuse of the local DNS server
  284. DNS_STRICT_NS = "0"
  285.  
  286. # Limit the number of IP's kept in the /etc/csf/csf.deny file
  287. #
  288. # Care should be taken when increasing this value on servers with low memory
  289. # resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
  290. # thousands) can sometimes cause network slowdown
  291. #
  292. # The value set here is the maximum number of IPs/CIDRs allowed
  293. # if the limit is reached, the entries will be rotated so that the oldest
  294. # entries (i.e. the ones at the top) will be removed and the latest is added.
  295. # The limit is only checked when using csf -d (which is what lfd also uses)
  296. # Set to 0 to disable limiting
  297. #
  298. # For implementations wishing to set this value significantly higher, we
  299. # recommend using the IPSET option
  300. DENY_IP_LIMIT = "200"
  301.  
  302. # Limit the number of IP's kept in the temprary IP ban list. If the limit is
  303. # reached the oldest IP's in the ban list will be removed and allowed
  304. # regardless of the amount of time remaining for the block
  305. # Set to 0 to disable limiting
  306. DENY_TEMP_IP_LIMIT = "100"
  307.  
  308. # Enable login failure detection daemon (lfd). If set to 0 none of the
  309. # following settings will have any effect as the daemon won't start.
  310. LF_DAEMON = "1"
  311.  
  312. # Check whether csf appears to have been stopped and restart if necessary,
  313. # unless TESTING is enabled above. The check is done every 300 seconds
  314. LF_CSF = "1"
  315.  
  316. # This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
  317. # IP6TABLES_RESTORE in two ways:
  318. #
  319. # 1. On a clean server reboot the entire csf iptables configuration is saved
  320. #    and then restored where possible to provide a near instant firewall
  321. #    startup[*]
  322. #
  323. # 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
  324. #    BOGON, TOR are loaded using this method in a fraction of the time than if
  325. #    this setting is disabled
  326. #
  327. # [*]Not supported on all OS platforms
  328. #
  329. # Set to "0" to disable this functionality
  330. FASTSTART = "1"
  331.  
  332. # This option allows you to use ipset v6+ for the following csf options:
  333. # CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
  334. # GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
  335. #
  336. # ipset will only be used with the above options when listing IPs and CIDRs.
  337. # Advanced Allow Filters and temporary blocks use traditional iptables
  338. #
  339. # Using ipset moves the onus of ip matching against large lists away from
  340. # iptables rules and to a purpose built and optimised database matching
  341. # utility. It also simplifies the switching in of updated lists
  342. #
  343. # To use this option you must have a fully functioning installation of ipset
  344. # installed either via rpm or source from http://ipset.netfilter.org/
  345. #
  346. # Note: Using ipset has many advantages, some disadvantages are that you will
  347. # no longer see packet and byte counts against IPs and it makes identifying
  348. # blocked/allowed IPs that little bit harder
  349. #
  350. # Note: If you mainly use IP address only entries in csf.deny, you can increase
  351. # the value of DENY_IP_LIMIT significantly if you wish
  352. #
  353. # Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
  354. # containers even if it has been installed
  355. #
  356. # If you find any problems, please post on forums.configserver.com with full
  357. # details of the issue
  358. LF_IPSET = "0"
  359.  
  360. # The following sets the hashsize for ipset sets, which must be a power of 2.
  361. #
  362. # Note: Increasing this value will consume more memory for all sets
  363. # Default: "1024"
  364. LF_IPSET_HASHSIZE = "1024"
  365.  
  366. # The following sets the maxelem for ipset sets.
  367. #
  368. # Note: Increasing this value will consume more memory for all sets
  369. # Default: "65536"
  370. LF_IPSET_MAXELEM = "65536"
  371.  
  372. # If you enable this option then whenever a CLI request to restart csf is used
  373. # lfd will restart csf instead within LF_PARSE seconds
  374. #
  375. # This feature can be helpful for restarting configurations that cannot use
  376. # FASTSTART
  377. LFDSTART = "0"
  378.  
  379. # Enable verbose output of iptables commands
  380. VERBOSE = "1"
  381.  
  382. # Drop out of order packets and packets in an INVALID state in iptables
  383. # connection tracking
  384. PACKET_FILTER = "1"
  385.  
  386. # Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
  387. LF_LOOKUPS = "1"
  388.  
  389. ###############################################################################
  390. # SECTION:SMTP Settings
  391. ###############################################################################
  392. # Block outgoing SMTP except for root, exim and mailman (forces scripts/users
  393. # to use the exim/sendmail binary instead of sockets access). This replaces the
  394. # protection as WHM > Tweak Settings > SMTP Tweaks
  395. #
  396. # This option uses the iptables ipt_owner/xt_owner module and must be loaded
  397. # for it to work. It may not be available on some VPS platforms
  398. #
  399. # Note: Run /etc/csf/csftest.pl to check whether this option will function on
  400. # this server
  401. SMTP_BLOCK = "0"
  402.  
  403. # If SMTP_BLOCK is enabled but you want to allow local connections to port 25
  404. # on the server (e.g. for webmail or web scripts) then enable this option to
  405. # allow outgoing SMTP connections to the loopback device
  406. SMTP_ALLOWLOCAL = "1"
  407.  
  408. # This is a comma separated list of the ports to block. You should list all
  409. # ports that exim is configured to listen on
  410. SMTP_PORTS = "25,465,587"
  411.  
  412. # Always allow the following comma separated users and groups to bypass
  413. # SMTP_BLOCK
  414. #
  415. # Note: root (UID:0) is always allowed
  416. SMTP_ALLOWUSER = ""
  417. SMTP_ALLOWGROUP = "mail,mailman"
  418.  
  419. # This option will only allow SMTP AUTH to be advertised to the IP addresses
  420. # listed in /etc/csf/csf.smtpauth on EXIM mail servers
  421. #
  422. # The additional option CC_ALLOW_SMTPAUTH can be used with this option to
  423. # additionally restrict access to specific countries
  424. #
  425. # This is to help limit attempts at distributed attacks against SMTP AUTH which
  426. # are difficult to achive since port 25 needs to be open to relay email
  427. #
  428. # The reason why this works is that if EXIM does not advertise SMTP AUTH on a
  429. # connection, then SMTP AUTH will not accept logins, defeating the attacks
  430. # without restricting mail relaying
  431. #
  432. # Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
  433. # that the lookup file in /etc/exim.smtpauth is regenerated from the
  434. # information from /etc/csf/csf.smtpauth plus any countries listed in
  435. # CC_ALLOW_SMTPAUTH
  436. #
  437. # NOTE: To make this option work you MUST make the modifications to exim.conf
  438. # as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
  439. # after enabling the option here, otherwise this option will not work
  440. #
  441. # To enable this option, set to 1 and make the exim configuration changes
  442. # To disable this option, set to 0 and undo the exim configuration changes
  443. SMTPAUTH_RESTRICT = "0"
  444.  
  445. ###############################################################################
  446. # SECTION:Port Flood Settings
  447. ###############################################################################
  448. # Enable SYN Flood Protection. This option configures iptables to offer some
  449. # protection from tcp SYN packet DOS attempts. You should set the RATE so that
  450. # false-positives are kept to a minimum otherwise visitors may see connection
  451. # issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
  452. # man page for the correct --limit rate syntax
  453. #
  454. # Note: This option should ONLY be enabled if you know you are under a SYN
  455. # flood attack as it will slow down all new connections from any IP address to
  456. # the server if triggered
  457. SYNFLOOD = "1"
  458. SYNFLOOD_RATE = "30/s"
  459. SYNFLOOD_BURST = "20"
  460.  
  461. # Connection Limit Protection. This option configures iptables to offer more
  462. # protection from DOS attacks against specific ports. It can also be used as a
  463. # way to simply limit resource usage by IP address to specific server services.
  464. # This option limits the number of concurrent new connections per IP address
  465. # that can be made to specific ports
  466. #
  467. # This feature does not work on servers that do not have the iptables module
  468. # xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
  469. # server admins should check with their VPS host provider that the iptables
  470. # module is included
  471. #
  472. # For further information and syntax refer to the Connection Limit Protection
  473. # section of the csf readme.txt
  474. #
  475. # Note: Run /etc/csf/csftest.pl to check whether this option will function on
  476. # this server
  477. CONNLIMIT = "7777;20"
  478.  
  479. # Port Flood Protection. This option configures iptables to offer protection
  480. # from DOS attacks against specific ports. This option limits the number of
  481. # new connections per time interval that can be made to specific ports
  482. #
  483. # This feature does not work on servers that do not have the iptables module
  484. # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
  485. # server admins should check with their VPS host provider that the iptables
  486. # module is included
  487. #
  488. # For further information and syntax refer to the Port Flood Protection
  489. # section of the csf readme.txt
  490. #
  491. # Note: Run /etc/csf/csftest.pl to check whether this option will function on
  492. # this server
  493. PORTFLOOD = "7777;udp;20;250"
  494.  
  495. # Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
  496. # These typically originate from exploit scripts uploaded through vulnerable
  497. # web scripts. Care should be taken on servers that use services that utilise
  498. # high levels of UDP outbound traffic, such as SNMP, so you may need to alter
  499. # the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
  500. #
  501. # We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
  502. UDPFLOOD = "1"
  503. UDPFLOOD_LIMIT = "30/s"
  504. UDPFLOOD_BURST = "20"
  505.  
  506. # This is a list of usernames that should not be rate limited, such as "named"
  507. # to prevent bind traffic from being limited.
  508. #
  509. # Note: root (UID:0) is always allowed
  510. UDPFLOOD_ALLOWUSER = "named"
  511.  
  512. ###############################################################################
  513. # SECTION:Logging Settings
  514. ###############################################################################
  515. # Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
  516. # perl module Sys::Syslog installed to use this feature
  517. SYSLOG = "0"
  518.  
  519. # Drop target for iptables rules. This can be set to either DROP ot REJECT.
  520. # REJECT will send back an error packet, DROP will not respond at all. REJECT
  521. # is more polite, however it does provide extra information to a hacker and
  522. # lets them know that a firewall is blocking their attempts. DROP hangs their
  523. # connection, thereby frustrating attempts to port scan the server.
  524. DROP = "DROP"
  525.  
  526. # Enable logging of dropped connections to blocked ports to syslog, usually
  527. # /var/log/messages. This option needs to be enabled to use Port Scan Tracking
  528. DROP_LOGGING = "1"
  529.  
  530. # Enable logging of dropped incoming connections from blocked IP addresses
  531. #
  532. # This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
  533. DROP_IP_LOGGING = "0"
  534.  
  535. # Enable logging of dropped outgoing connections
  536. #
  537. # Note: Only outgoing SYN packets for TCP connections are logged, other
  538. # protocols log all packets
  539. #
  540. # We recommend that you enable this option
  541. DROP_OUT_LOGGING = "1"
  542.  
  543. # Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
  544. # out (where available) which can help track abuse
  545. DROP_UID_LOGGING = "1"
  546.  
  547. # Only log incoming reserved port dropped connections (0:1023). This can reduce
  548. # the amount of log noise from dropped connections, but will affect options
  549. # such as Port Scan Tracking (PS_INTERVAL)
  550. DROP_ONLYRES = "0"
  551.  
  552. # Commonly blocked ports that you do not want logging as they tend to just fill
  553. # up the log file. These ports are specifically blocked (applied to TCP and UDP
  554. # protocols) for incoming connections
  555. DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520"
  556.  
  557. # Log packets dropped by the packet filtering option PACKET_FILTER
  558. DROP_PF_LOGGING = "0"
  559.  
  560. # Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
  561. # this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
  562. # addresses breaking the Connection Limit Protection will be blocked
  563. CONNLIMIT_LOGGING = "0"
  564.  
  565. # Enable logging of UDP floods. This should be enabled, especially with User ID
  566. # Tracking enabled
  567. UDPFLOOD_LOGGING = "1"
  568.  
  569. # Send an alert if log file flooding is detected which causes lfd to skip log
  570. # lines to prevent lfd from looping. If this alert is sent you should check the
  571. # reported log file for the reason for the flooding
  572. LOGFLOOD_ALERT = "0"
  573.  
  574. # Configure csf to watch IP addresses (with csf -w [ip]). This option will add
  575. # overhead to packet traversal through iptables and syslog logging, so should
  576. # only be enabled while actively watching IP addresses. See readme.txt for more
  577. # information on the use of this option
  578. WATCH_MODE = "0"
  579.  
  580. ###############################################################################
  581. # SECTION:Reporting Settings
  582. ###############################################################################
  583. # By default, lfd will send alert emails using the relevant alert template to
  584. # the To: address configured within that template. Setting the following
  585. # option will override the configured To: field in all lfd alert emails
  586. #
  587. # Leave this option empty to use the To: field setting in each alert template
  588. LF_ALERT_TO = ""
  589.  
  590. # By default, lfd will send alert emails using the relevant alert template from
  591. # the From: address configured within that template. Setting the following
  592. # option will override the configured From: field in all lfd alert emails
  593. #
  594. # Leave this option empty to use the From: field setting in each alert template
  595. LF_ALERT_FROM = ""
  596.  
  597. # By default, lfd will send all alerts using the SENDMAIL binary. To send using
  598. # SMTP directly, you can set the following to a relaying SMTP server, e.g.
  599. # "127.0.0.1". Leave this setting blank to use SENDMAIL
  600. LF_ALERT_SMTP = ""
  601.  
  602. # Block Reporting. lfd can run an external script when it performs and IP
  603. # address block following for example a login failure. The following setting
  604. # is to the full path of the external script which must be executable. See
  605. # readme.txt for format details
  606. #
  607. # Leave this setting blank to disable
  608. BLOCK_REPORT = ""
  609.  
  610. # To also run an external script when a temporary block is unblocked. The
  611. # following setting can be the full path of the external script which must be
  612. # executable. See readme.txt for format details
  613. #
  614. # Leave this setting blank to disable
  615. UNBLOCK_REPORT = ""
  616.  
  617. # In addition to the standard lfd email alerts, you can additionally enable the
  618. # sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
  619. # block alert messages will be sent. The reports use our schema at:
  620. # https://download.configserver.com/abuse_login-attack_0.2.json
  621. #
  622. # These reports are in a format accepted by many Netblock owners and should
  623. # help them investigate abuse. This option is not designed to automatically
  624. # forward these reports to the Netblock owners and should be checked for
  625. # false-positive blocks before reporting
  626. #
  627. # If available, the report will also include the abuse contact for the IP from
  628. # the Abusix Contact DB: https://abusix.com/contactdb.html
  629. #
  630. # Note: The following block types are not reported through this feature:
  631. # LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
  632. X_ARF = "0"
  633.  
  634. # By default, lfd will send emails from the root forwarder. Setting the
  635. # following option will override this
  636. X_ARF_FROM = ""
  637.  
  638. # By default, lfd will send emails to the root forwarder. Setting the following
  639. # option will override this
  640. X_ARF_TO = ""
  641.  
  642. # If you want to automatically send reports to the abuse contact where found,
  643. # you can enable the following option
  644. #
  645. # Note: You MUST set X_ARF_FROM to a valid email address for this option to
  646. # work. This is so that the abuse contact can reply to the report
  647. #
  648. # However, you should be aware that without manual checking you could be
  649. # reporting innocent IP addresses, including your own clients, yourself and
  650. # your own servers
  651. #
  652. # Additionally, just because a contact address is found, does not mean that
  653. # there is anyone on the end of it reading, processing or acting on such
  654. # reports and you could conceivably reported for sending spam
  655. #
  656. # We do not recommend enabling this option. Abuse reports should be checked and
  657. # verified before being forwarded to the abuse contact
  658. X_ARF_ABUSE = "0"
  659.  
  660. ###############################################################################
  661. # SECTION:Temp to Perm/Netblock Settings
  662. ###############################################################################
  663. # Temporary to Permanent IP blocking. The following enables this feature to
  664. # permanently block IP addresses that have been temporarily blocked more than
  665. # LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
  666. # LF_PERMBLOCK  to "1" to enable this feature
  667. #
  668. # Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
  669. # at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
  670. # (TTL) for blocked IPs, to be effective
  671. #
  672. # Set LF_PERMBLOCK to "0" to disable this feature
  673. LF_PERMBLOCK = "1"
  674. LF_PERMBLOCK_INTERVAL = "86400"
  675. LF_PERMBLOCK_COUNT = "4"
  676. LF_PERMBLOCK_ALERT = "1"
  677.  
  678. # Permanently block IPs by network class. The following enables this feature
  679. # to permanently block classes of IP address where individual IP addresses
  680. # within the same class LF_NETBLOCK_CLASS have already been blocked more than
  681. # LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
  682. # LF_NETBLOCK  to "1" to enable this feature
  683. #
  684. # This can be an affective way of blocking DDOS attacks launched from within
  685. # the same network class
  686. #
  687. # Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
  688. # consideration is required when blocking network classes A or B
  689. #
  690. # Set LF_NETBLOCK to "0" to disable this feature
  691. LF_NETBLOCK = "0"
  692. LF_NETBLOCK_INTERVAL = "86400"
  693. LF_NETBLOCK_COUNT = "4"
  694. LF_NETBLOCK_CLASS = "C"
  695. LF_NETBLOCK_ALERT = "1"
  696.  
  697. # Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
  698. # Great care should be taken with IPV6 netblock ranges due to the large number
  699. # of addresses involved
  700. #
  701. # To disable IPv6 netblocks set to ""
  702. LF_NETBLOCK_IPV6 = ""
  703.  
  704. ###############################################################################
  705. # SECTION:Global Lists/DYNDNS/Blocklists
  706. ###############################################################################
  707. # Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
  708. # SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
  709. # chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
  710. # chain, then flush and delete the old dynamic chain and rename the new chain.
  711. #
  712. # This prevents a small window of opportunity opening when an update occurs and
  713. # the dynamic chain is flushed for the new rules.
  714. #
  715. # This option should not be enabled on servers with long dynamic chains (e.g.
  716. # CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
  717. # Virtuozzo VPS servers with a restricted numiptent value. This is because each
  718. # chain will effectively be duplicated while the update occurs, doubling the
  719. # number of iptables rules
  720. SAFECHAINUPDATE = "0"
  721.  
  722. # If you wish to allow access from dynamic DNS records (for example if your IP
  723. # address changes whenever you connect to the internet but you have a dedicated
  724. # dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
  725. # records in csf.dyndns and then set the following to the number of seconds to
  726. # poll for a change in the IP address. If the IP address has changed iptables
  727. # will be updated.
  728. #
  729. # If the FQDN has multiple A records then all of the IP addresses will be
  730. # processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
  731. # also be allowed.
  732. #
  733. # A setting of 600 would check for IP updates every 10 minutes. Set the value
  734. # to 0 to disable the feature
  735. DYNDNS = "0"
  736.  
  737. # To always ignore DYNDNS IP addresses in lfd blocking, set the following
  738. # option to 1
  739. DYNDNS_IGNORE = "0"
  740.  
  741. # The follow Global options allow you to specify a URL where csf can grab a
  742. # centralised copy of an IP allow or deny block list of your own. You need to
  743. # specify the full URL in the following options, i.e.:
  744. # http://www.somelocation.com/allow.txt
  745. #
  746. # The actual retrieval of these IP's is controlled by lfd, so you need to set
  747. # LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
  748. # will perform the retrieval when it runs and then again at the specified
  749. # interval. A sensible interval would probably be every 3600 seconds (1 hour).
  750. # A minimum value of 300 is enforced for LF_GLOBAL if enabled
  751. #
  752. # You do not have to specify both an allow and a deny file
  753. #
  754. # You can also configure a global ignore file for IP's that lfd should ignore
  755. LF_GLOBAL = "0"
  756.  
  757. GLOBAL_ALLOW = ""
  758. GLOBAL_DENY = ""
  759. GLOBAL_IGNORE = ""
  760.  
  761. # Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
  762. # this to the URL of the file containing DYNDNS entries
  763. GLOBAL_DYNDNS = ""
  764.  
  765. # Set the following to the number of seconds to poll for a change in the IP
  766. # address resoved from GLOBAL_DYNDNS
  767. GLOBAL_DYNDNS_INTERVAL = "600"
  768.  
  769. # To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
  770. # option to 1
  771. GLOBAL_DYNDNS_IGNORE = "0"
  772.  
  773. # Blocklists are controlled by modifying /etc/csf/csf.blocklists
  774. #
  775. # If you don't want BOGON rules applied to specific NICs, then list them in
  776. # a comma separated list (e.g "eth1,eth2")
  777. LF_BOGON_SKIP = ""
  778.  
  779. # The following option can be used to select either HTTP::Tiny or
  780. # LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
  781. # LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
  782. # have to be installed manually, but it can better support https:// URL's
  783. # which also needs the LWP::Protocol::https perl module
  784. #
  785. # For example:
  786. #
  787. # On rpm based systems:
  788. #
  789. #   yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
  790. #
  791. # On APT based systems:
  792. #
  793. #   apt-get install libwww-perl liblwp-protocol-https-perl
  794. #
  795. # Via cpan:
  796. #
  797. #   perl -MCPAN -eshell
  798. #   cpan> install LWP LWP::Protocol::https
  799. #
  800. # We recommend setting this set to "2" as upgrades to csf will be performed
  801. # over SSL to https://download.configserver.com
  802. #
  803. # "1" = HTTP::Tiny
  804. # "2" = LWP::UserAgent
  805. URLGET = "2"
  806.  
  807. ###############################################################################
  808. # SECTION:Country Code Lists and Settings
  809. ###############################################################################
  810. # Country Code to CIDR allow/deny. In the following two options you can allow
  811. # or deny whole country CIDR ranges. The CIDR blocks are generated from the
  812. # Maxmind GeoLite Country database http://www.maxmind.com/app/geolitecountry
  813. # and entirely relies on that service being available
  814. #
  815. # Specify the the two-letter ISO Country Code(s). The iptables rules are for
  816. # incoming connections only
  817. #
  818. # Additionally, ASN numbers can also be added to the comma separated lists
  819. # below that also list Country Codes. The same WARNINGS for Country Codes apply
  820. # to the use of ASNs. More about Autonomous System Numbers (ASN):
  821. # http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
  822. #
  823. # You should consider using LF_IPSET when using any of the following options
  824. #
  825. # WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
  826. # non-geographic IP address designations for their clients
  827. #
  828. # WARNING: Some of the CIDR lists are huge and each one requires a rule within
  829. # the incoming iptables chain. This can result in significant performance
  830. # overheads and could render the server inaccessible in some circumstances. For
  831. # this reason (amongst others) we do not recommend using these options
  832. #
  833. # WARNING: Due to the resource constraints on VPS servers this feature should
  834. # not be used on such systems unless you choose very small CC zones
  835. #
  836. # WARNING: CC_ALLOW allows access through all ports in the firewall. For this
  837. # reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
  838. # preferred
  839. #
  840. # Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  841. CC_DENY = ""
  842. CC_ALLOW = ""
  843.  
  844. # An alternative to CC_ALLOW is to only allow access from the following
  845. # countries but still filter based on the port and packets rules. All other
  846. # connections are dropped
  847. CC_ALLOW_FILTER = ""
  848.  
  849. # This option allows access from the following countries to specific ports
  850. # listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
  851. #
  852. # Note: The rules for this feature are inserted after the allow and deny
  853. # rules to still allow blocking of IP addresses
  854. #
  855. # Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  856. CC_ALLOW_PORTS = ""
  857.  
  858. # All listed ports should be removed from TCP_IN/UDP_IN to block access from
  859. # elsewhere. This option uses the same format as TCP_IN/UDP_IN
  860. #
  861. # An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
  862. # then only counties listed in CC_ALLOW_PORTS can access FTP
  863. CC_ALLOW_PORTS_TCP = ""
  864. CC_ALLOW_PORTS_UDP = ""
  865.  
  866. # This option denies access from the following countries to specific ports
  867. # listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
  868. #
  869. # Note: The rules for this feature are inserted after the allow and deny
  870. # rules to still allow allowing of IP addresses
  871. #
  872. # Each option is a comma separated list of CC's, e.g. "US,GB,DE"
  873. CC_DENY_PORTS = ""
  874.  
  875. # This option uses the same format as TCP_IN/UDP_IN. The ports listed should
  876. # NOT be removed from TCP_IN/UDP_IN
  877. #
  878. # An example would be to list port 21 here then counties listed in
  879. # CC_DENY_PORTS cannot access FTP
  880. CC_DENY_PORTS_TCP = ""
  881. CC_DENY_PORTS_UDP = ""
  882.  
  883. # This Country Code list will prevent lfd from blocking IP address hits for the
  884. # listed CC's
  885. #
  886. # CC_LOOKUPS must be enabled to use this option
  887. CC_IGNORE = ""
  888.  
  889. # This Country Code list will only allow SMTP AUTH to be advertised to the
  890. # listed countries in EXIM. This is to help limit attempts at distributed
  891. # attacks against SMTP AUTH which are difficult to achive since port 25 needs
  892. # to be open to relay email
  893. #
  894. # The reason why this works is that if EXIM does not advertise SMTP AUTH on a
  895. # connection, then SMTP AUTH will not accept logins, defeating the attacks
  896. # without restricting mail relaying
  897. #
  898. # This option can generate a very large list of IP addresses that could easily
  899. # severely impact on SMTP (mail) performance, so care must be taken when
  900. # selecting countries and if performance issues ensue
  901. #
  902. # The option SMTPAUTH_RESTRICT must be enabled to use this option
  903. CC_ALLOW_SMTPAUTH = ""
  904.  
  905. # Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
  906. # than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
  907. # help reduce the number of CC entries and may improve iptables throughput.
  908. # Obviously, this will deny/allow fewer IP addresses depending on how small you
  909. # configure the option
  910. #
  911. # For example, to ignore all CIDR (and single IP) entries small than a /16, set
  912. # this option to "16". Set to "" to block all CC IP addresses
  913. CC_DROP_CIDR = ""
  914.  
  915. # Display Country Code and Country for reported IP addresses. This option can
  916. # be configured to use the MaxMind Country Database or the more detailed (and
  917. # much larger and therefore slower) MaxMind City Database
  918. #
  919. # "0" - disable
  920. # "1" - Reports: Country Code and Country
  921. # "2" - Reports: Country Code and Country and Region and City
  922. # "3" - Reports: Country Code and Country and Region and City and ASN
  923. CC_LOOKUPS = "1"
  924.  
  925. # Display Country Code and Country for reported IPv6 addresses using the
  926. # MaxMind Country IPv6 Database
  927. #
  928. # "0" - disable
  929. # "1" - Reports: Country Code and Country
  930. #
  931. # This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
  932. # PORTFLOOD
  933. CC6_LOOKUPS = "0"
  934.  
  935. # This option tells lfd how often to retrieve the Maxmind GeoLite Country
  936. # database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
  937. # days)
  938. CC_INTERVAL = "7"
  939.  
  940. ###############################################################################
  941. # SECTION:Login Failure Blocking and Alerts
  942. ###############################################################################
  943. # The following[*] triggers are application specific. If you set LF_TRIGGER to
  944. # "0" the value of each trigger is the number of failures against that
  945. # application that will trigger lfd to block the IP address
  946. #
  947. # If you set LF_TRIGGER to a value greater than "0" then the following[*]
  948. # application triggers are simply on or off ("0" or "1") and the value of
  949. # LF_TRIGGER is the total cumulative number of failures that will trigger lfd
  950. # to block the IP address
  951. #
  952. # Setting the application trigger to "0" disables it
  953. LF_TRIGGER = "0"
  954.  
  955. # If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
  956. # block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
  957. # "1" and the IP address will be blocked temporarily for that value in seconds.
  958. # For example:
  959. # LF_TRIGGER_PERM = "1" => the IP is blocked permanently
  960. # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
  961. #
  962. # If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
  963. # in the same way as above and LF_TRIGGER_PERM serves no function
  964. LF_TRIGGER_PERM = "1"
  965.  
  966. # To only block access to the failed application instead of a complete block
  967. # for an ip address, you can set the following to "1", but LF_TRIGGER must be
  968. # set to "0" with specific application[*] trigger levels also set appropriately
  969. #
  970. # The ports that are blocked can be configured by changing the PORTS_* options
  971. LF_SELECT = "0"
  972.  
  973. # Send an email alert if an IP address is blocked by one of the [*] triggers
  974. LF_EMAIL_ALERT = "1"
  975.  
  976. # [*]Enable login failure detection of sshd connections
  977. #
  978. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  979. # this file about RESTRICT_SYSLOG before enabling this option:
  980. LF_SSHD = "5"
  981. LF_SSHD_PERM = "1"
  982.  
  983. # [*]Enable login failure detection of ftp connections
  984. #
  985. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  986. # this file about RESTRICT_SYSLOG before enabling this option:
  987. LF_FTPD = "10"
  988. LF_FTPD_PERM = "1"
  989.  
  990. # [*]Enable login failure detection of SMTP AUTH connections
  991. LF_SMTPAUTH = "5"
  992. LF_SMTPAUTH_PERM = "1"
  993.  
  994. # [*]Enable syntax failure detection of Exim connections
  995. LF_EXIMSYNTAX = "10"
  996. LF_EXIMSYNTAX_PERM = "1"
  997.  
  998. # [*]Enable login failure detection of pop3 connections
  999. #
  1000. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1001. # this file about RESTRICT_SYSLOG before enabling this option:
  1002. LF_POP3D = "0"
  1003. LF_POP3D_PERM = "1"
  1004.  
  1005. # [*]Enable login failure detection of imap connections
  1006. #
  1007. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1008. # this file about RESTRICT_SYSLOG before enabling this option:
  1009. LF_IMAPD = "0"
  1010. LF_IMAPD_PERM = "1"
  1011.  
  1012. # [*]Enable login failure detection of Apache .htpasswd connections
  1013. # Due to the often high logging rate in the Apache error log, you might want to
  1014. # enable this option only if you know you are suffering from attacks against
  1015. # password protected directories
  1016. LF_HTACCESS = "5"
  1017. LF_HTACCESS_PERM = "1"
  1018.  
  1019. # [*]Enable failure detection of repeated Apache mod_security rule triggers
  1020. LF_MODSEC = "5"
  1021. LF_MODSEC_PERM = "1"
  1022.  
  1023. # [*]Enable detection of repeated BIND denied requests
  1024. # This option should be enabled with care as it will prevent blocked IPs from
  1025. # resolving any domains on the server. You might want to set the trigger value
  1026. # reasonably high to avoid this
  1027. # Example: LF_BIND = "100"
  1028. LF_BIND = "0"
  1029. LF_BIND_PERM = "1"
  1030.  
  1031. # [*]Enable detection of repeated suhosin ALERTs
  1032. # Example: LF_SUHOSIN = "5"
  1033. #
  1034. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1035. # this file about RESTRICT_SYSLOG before enabling this option:
  1036. LF_SUHOSIN = "0"
  1037. LF_SUHOSIN_PERM = "1"
  1038.  
  1039. # [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
  1040. # This option will block IP addresses if cxs detects a hits from the
  1041. # ModSecurity rule associated with it
  1042. #
  1043. # Note: This option takes precedence over LF_MODSEC and removes any hits
  1044. # counted towards LF_MODSEC for the cxs rule
  1045. #
  1046. # This setting should probably set very low, perhaps to 1, if you want to
  1047. # effectively block IP addresses for this trigger option
  1048. LF_CXS = "0"
  1049. LF_CXS_PERM = "1"
  1050.  
  1051. # [*]Enable detection of repeated Apache mod_qos rule triggers
  1052. LF_QOS = "0"
  1053. LF_QOS_PERM = "1"
  1054.  
  1055. # [*]Enable detection of repeated Apache symlink race condition triggers from
  1056. # the Apache patch provided by:
  1057. # http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
  1058. # This patch has also been included by cPanel via the easyapache option:
  1059. # "Symlink Race Condition Protection"
  1060. LF_SYMLINK = "0"
  1061. LF_SYMLINK_PERM = "1"
  1062.  
  1063. # [*]Enable login failure detection of webmin connections
  1064. #
  1065. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1066. # this file about RESTRICT_SYSLOG before enabling this option:
  1067. LF_WEBMIN = "0"
  1068. LF_WEBMIN_PERM = "1"
  1069.  
  1070. # Send an email alert if anyone logs in successfully using SSH
  1071. #
  1072. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1073. # this file about RESTRICT_SYSLOG before enabling this option:
  1074. LF_SSH_EMAIL_ALERT = "1"
  1075.  
  1076. # Send an email alert if anyone uses su to access another account. This will
  1077. # send an email alert whether the attempt to use su was successful or not
  1078. #
  1079. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1080. # this file about RESTRICT_SYSLOG before enabling this option:
  1081. LF_SU_EMAIL_ALERT = "1"
  1082.  
  1083. # Send an email alert if anyone accesses webmin
  1084. #
  1085. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1086. # this file about RESTRICT_SYSLOG before enabling this option:
  1087. LF_WEBMIN_EMAIL_ALERT = "1"
  1088.  
  1089. # Send an email alert if anyone logs in successfully to root on the console
  1090. #
  1091. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1092. # this file about RESTRICT_SYSLOG before enabling this option:
  1093. LF_CONSOLE_EMAIL_ALERT = "1"
  1094.  
  1095. # This option will keep track of the number of "File does not exist" errors in
  1096. # HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
  1097. # seconds then the IP address will be blocked
  1098. #
  1099. # Care should be used with this option as it could generate many
  1100. # false-positives, especially Search Bots (use csf.rignore to ignore such bots)
  1101. # so only use this option if you know you are under this type of attack
  1102. #
  1103. # A sensible setting for this would be quite high, perhaps 200
  1104. #
  1105. # To disable set to "0"
  1106. LF_APACHE_404 = "0"
  1107.  
  1108. # If this option is set to 1 the blocks will be permanent
  1109. # If this option is > 1, the blocks will be temporary for the specified number
  1110. # of seconds
  1111. LF_APACHE_404_PERM = "3600"
  1112.  
  1113. # This option will keep track of the number of "client denied by server
  1114. # configuration" errors in HTACCESS_LOG. If the number of hits is more than
  1115. # LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
  1116. #
  1117. # Care should be used with this option as it could generate many
  1118. # false-positives, especially Search Bots (use csf.rignore to ignore such bots)
  1119. # so only use this option if you know you are under this type of attack
  1120. #
  1121. # A sensible setting for this would be quite high, perhaps 200
  1122. #
  1123. # To disable set to "0"
  1124. LF_APACHE_403 = "0"
  1125.  
  1126. # If this option is set to 1 the blocks will be permanent
  1127. # If this option is > 1, the blocks will be temporary for the specified number
  1128. # of seconds
  1129. LF_APACHE_403_PERM = "3600"
  1130.  
  1131. # System Exploit Checking. This option is designed to perform a series of tests
  1132. # to send an alert in case a possible server compromise is detected
  1133. #
  1134. # To enable this feature set the following to the checking interval in seconds
  1135. # (a value of 300 would seem sensible).
  1136. #
  1137. # To disable set to "0"
  1138. LF_EXPLOIT = "300"
  1139.  
  1140. # This comma separated list allows you to ignore tests LF_EXPLOIT performs
  1141. #
  1142. # For the SUPERUSER check, you can list usernames in csf.suignore to have them
  1143. # ignored for that test
  1144. #
  1145. # Valid tests are:
  1146. # SUPERUSER,SSHDSPAM
  1147. #
  1148. # If you want to ignore a test add it to this as a comma separated list, e.g.
  1149. # "SUPERUSER,SSHDSPAM"
  1150. LF_EXPLOIT_IGNORE = ""
  1151.  
  1152. # Set the time interval to track login and other LF_ failures within (seconds),
  1153. # i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
  1154. LF_INTERVAL = "3600"
  1155.  
  1156. # This is how long the lfd process sleeps (in seconds) before processing the
  1157. # log file entries and checking whether other events need to be triggered
  1158. LF_PARSE = "5"
  1159.  
  1160. # This is the interval that is used to flush reports of usernames, files and
  1161. # pids so that persistent problems continue to be reported, in seconds.
  1162. # A value of 3600 seems sensible
  1163. LF_FLUSH = "3600"
  1164.  
  1165. # Under some circumstances iptables can fail to include a rule instruction,
  1166. # especially if more than one request is made concurrently. In this event, a
  1167. # permanent block entry may exist in csf.deny, but not in iptables.
  1168. #
  1169. # This option instructs csf to deny an already blocked IP address the number
  1170. # of times set. The downside, is that there will be multiple entries for an IP
  1171. # address in csf.deny and possibly multiple rules for the same IP address in
  1172. # iptables. This needs to be taken into consideration when unblocking such IP
  1173. # addresses.
  1174. #
  1175. # Set to "0" to disable this feature. Do not set this too high for the reasons
  1176. # detailed above (e.g. "5" should be more than enough)
  1177. LF_REPEATBLOCK = "0"
  1178.  
  1179. # By default csf will create both an inbound and outbound blocks from/to an IP
  1180. # unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
  1181. # effective way to block IP traffic. This option instructs csf to only block
  1182. # inbound traffic from those IP's and so reduces the number of iptables rules,
  1183. # but at the expense of less effectiveness. For this reason we recommend
  1184. # leaving this option disabled
  1185. #
  1186. # Set to "0" to disable this feature - the default
  1187. LF_BLOCKINONLY = "0"
  1188.  
  1189. ###############################################################################
  1190. # SECTION:Directory Watching & Integrity
  1191. ###############################################################################
  1192. # Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
  1193. # directories for suspicious files, i.e. script exploits. If a suspicious
  1194. # file is found an email alert is sent. One alert per file per LF_FLUSH
  1195. # interval is sent
  1196. #
  1197. # To enable this feature set the following to the checking interval in seconds.
  1198. # To disable set to "0"
  1199. LF_DIRWATCH = "300"
  1200.  
  1201. # To remove any suspicious files found during directory watching, enable the
  1202. # following. These files will be appended to a tarball in
  1203. # /var/lib/csf/suspicious.tar
  1204. LF_DIRWATCH_DISABLE = "0"
  1205.  
  1206. # This option allows you to have lfd watch a particular file or directory for
  1207. # changes and should they change and email alert using watchalert.txt is sent
  1208. #
  1209. # To enable this feature set the following to the checking interval in seconds
  1210. # (a value of 60 would seem sensible) and add your entries to csf.dirwatch
  1211. #
  1212. # Set to disable set to "0"
  1213. LF_DIRWATCH_FILE = "0"
  1214.  
  1215. # System Integrity Checking. This enables lfd to compare md5sums of the
  1216. # servers OS binary application files from the time when lfd starts. If the
  1217. # md5sum of a monitored file changes an alert is sent. This option is intended
  1218. # as an IDS (Intrusion Detection System) and is the last line of detection for
  1219. # a possible root compromise.
  1220. #
  1221. # There will be constant false-positives as the servers OS is updated or
  1222. # monitored application binaries are updated. However, unexpected changes
  1223. # should be carefully inspected.
  1224. #
  1225. # Modified files will only be reported via email once.
  1226. #
  1227. # To enable this feature set the following to the checking interval in seconds
  1228. # (a value of 3600 would seem sensible). This option may increase server I/O
  1229. # load onto the server as it checks system binaries.
  1230. #
  1231. # To disable set to "0"
  1232. LF_INTEGRITY = "3600"
  1233.  
  1234. ###############################################################################
  1235. # SECTION:Distributed Attacks
  1236. ###############################################################################
  1237. # Distributed Account Attack. This option will keep track of login failures
  1238. # from distributed IP addresses to a specific application account. If the
  1239. # number of failures matches the trigger value above, ALL of the IP addresses
  1240. # involved in the attack will be blocked according to the temp/perm rules above
  1241. #
  1242. # Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD,
  1243. # LF_HTACCESS
  1244. #
  1245. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1246. # this file about RESTRICT_SYSLOG before enabling this option:
  1247. LF_DISTATTACK = "0"
  1248.  
  1249. # Set the following to the minimum number of unique IP addresses that trigger
  1250. # LF_DISTATTACK
  1251. LF_DISTATTACK_UNIQ = "2"
  1252.  
  1253. # Distributed FTP Logins. This option will keep track of successful FTP logins.
  1254. # If the number of successful logins to an individual account is at least
  1255. # LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
  1256. # then all of the IP addresses will be blocked
  1257. #
  1258. # This option can help mitigate the common FTP account compromise attacks that
  1259. # use a distributed network of zombies to deface websites
  1260. #
  1261. # A sensible setting for this might be 5, depending on how many different
  1262. # IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
  1263. #
  1264. # To disable set to "0"
  1265. #
  1266. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1267. # this file about RESTRICT_SYSLOG before enabling this option:
  1268. LF_DISTFTP = "0"
  1269.  
  1270. # Set the following to the minimum number of unique IP addresses that trigger
  1271. # LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
  1272. LF_DISTFTP_UNIQ = "3"
  1273.  
  1274. # If this option is set to 1 the blocks will be permanent
  1275. # If this option is > 1, the blocks will be temporary for the specified number
  1276. # of seconds
  1277. LF_DISTFTP_PERM = "1"
  1278.  
  1279. # Send an email alert if LF_DISTFTP is triggered
  1280. LF_DISTFTP_ALERT = "1"
  1281.  
  1282. # Distributed SMTP Logins. This option will keep track of successful SMTP
  1283. # logins. If the number of successful logins to an individual account is at
  1284. # least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
  1285. # addresses, then all of the IP addresses will be blocked. These options only
  1286. # apply to the exim MTA
  1287. #
  1288. # This option can help mitigate the common SMTP account compromise attacks that
  1289. # use a distributed network of zombies to send spam
  1290. #
  1291. # A sensible setting for this might be 5, depending on how many different
  1292. # IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
  1293. #
  1294. # To disable set to "0"
  1295. LF_DISTSMTP = "0"
  1296.  
  1297. # Set the following to the minimum number of unique IP addresses that trigger
  1298. # LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
  1299. LF_DISTSMTP_UNIQ = "3"
  1300.  
  1301. # If this option is set to 1 the blocks will be permanent
  1302. # If this option is > 1, the blocks will be temporary for the specified number
  1303. # of seconds
  1304. LF_DISTSMTP_PERM = "1"
  1305.  
  1306. # Send an email alert if LF_DISTSMTP is triggered
  1307. LF_DISTSMTP_ALERT = "1"
  1308.  
  1309. # This is the interval during which a distributed FTP or SMTP attack is
  1310. # measured
  1311. LF_DIST_INTERVAL = "300"
  1312.  
  1313. # If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
  1314. # path to a script, it will run the script and pass the following as arguments:
  1315. #
  1316. # LF_DISTFTP/LF_DISTSMTP
  1317. # account name
  1318. # log file text
  1319. #
  1320. # The action script must have the execute bit and interpreter (shebang) set
  1321. LF_DIST_ACTION = ""
  1322.  
  1323. ###############################################################################
  1324. # SECTION:Login Tracking
  1325. ###############################################################################
  1326. # Block POP3 logins if greater than LT_POP3D times per hour per account per IP
  1327. # address (0=disabled)
  1328. #
  1329. # This is a temporary block for the rest of the hour, afterwhich the IP is
  1330. # unblocked
  1331. #
  1332. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1333. # this file about RESTRICT_SYSLOG before enabling this option:
  1334. LT_POP3D = "0"
  1335.  
  1336. # Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
  1337. # address (0=disabled) - not recommended for IMAP logins due to the ethos
  1338. # within which IMAP works. If you want to use this, setting it quite high is
  1339. # probably a good idea
  1340. #
  1341. # This is a temporary block for the rest of the hour, afterwhich the IP is
  1342. # unblocked
  1343. #
  1344. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1345. # this file about RESTRICT_SYSLOG before enabling this option:
  1346. LT_IMAPD = "0"
  1347.  
  1348. # Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
  1349. # per IP
  1350. LT_EMAIL_ALERT = "1"
  1351.  
  1352. # If LF_PERMBLOCK is enabled but you do not want this to apply to
  1353. # LT_POP3D/LT_IMAPD, then enable this option
  1354. LT_SKIPPERMBLOCK = "0"
  1355.  
  1356. ###############################################################################
  1357. # SECTION:Connection Tracking
  1358. ###############################################################################
  1359. # Connection Tracking. This option enables tracking of all connections from IP
  1360. # addresses to the server. If the total number of connections is greater than
  1361. # this value then the offending IP address is blocked. This can be used to help
  1362. # prevent some types of DOS attack.
  1363. #
  1364. # Care should be taken with this option. It's entirely possible that you will
  1365. # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
  1366. # and HTTP so it could be quite easy to trigger, especially with a lot of
  1367. # closed connections in TIME_WAIT. However, for a server that is prone to DOS
  1368. # attacks this may be very useful. A reasonable setting for this option might
  1369. # be around 300.
  1370. #
  1371. # To disable this feature, set this to 0
  1372. CT_LIMIT = "0"
  1373.  
  1374. # Connection Tracking interval. Set this to the the number of seconds between
  1375. # connection tracking scans
  1376. CT_INTERVAL = "30"
  1377.  
  1378. # Send an email alert if an IP address is blocked due to connection tracking
  1379. CT_EMAIL_ALERT = "1"
  1380.  
  1381. # If you want to make IP blocks permanent then set this to 1, otherwise blocks
  1382. # will be temporary and will be cleared after CT_BLOCK_TIME seconds
  1383. CT_PERMANENT = "0"
  1384.  
  1385. # If you opt for temporary IP blocks for CT, then the following is the interval
  1386. # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
  1387. CT_BLOCK_TIME = "1800"
  1388.  
  1389. # If you don't want to count the TIME_WAIT state against the connection count
  1390. # then set the following to "1"
  1391. CT_SKIP_TIME_WAIT = "0"
  1392.  
  1393. # If you only want to count specific states (e.g. SYN_RECV) then add the states
  1394. # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
  1395. #
  1396. # Leave this option empty to count all states against CT_LIMIT
  1397. CT_STATES = ""
  1398.  
  1399. # If you only want to count specific ports (e.g. 80,443) then add the ports
  1400. # to the following as a comma separated list. E.g. "80,443"
  1401. #
  1402. # Leave this option empty to count all ports against CT_LIMIT
  1403. CT_PORTS = ""
  1404.  
  1405. ###############################################################################
  1406. # SECTION:Process Tracking
  1407. ###############################################################################
  1408. # Process Tracking. This option enables tracking of user and nobody processes
  1409. # and examines them for suspicious executables or open network ports. Its
  1410. # purpose is to identify potential exploit processes that are running on the
  1411. # server, even if they are obfuscated to appear as system services. If a
  1412. # suspicious process is found an alert email is sent with relevant information.
  1413. # It is then the responsibility of the recipient to investigate the process
  1414. # further as the script takes no further action
  1415. #
  1416. # The following is the number of seconds a process has to be active before it
  1417. # is inspected. If you set this time too low, then you will likely trigger
  1418. # false-positives with CGI or PHP scripts.
  1419. # Set the value to 0 to disable this feature
  1420. PT_LIMIT = "60"
  1421.  
  1422. # How frequently processes are checked in seconds
  1423. PT_INTERVAL = "60"
  1424.  
  1425. # If you want process tracking to highlight php or perl scripts that are run
  1426. # through apache then disable the following,
  1427. # i.e. set it to 0
  1428. #
  1429. # While enabling this setting will reduce false-positives, having it set to 0
  1430. # does provide better checking for exploits running on the server
  1431. PT_SKIP_HTTP = "0"
  1432.  
  1433. # lfd will report processes, even if they're listed in csf.pignore, if they're
  1434. # tagged as (deleted) by Linux. This information is provided in Linux under
  1435. # /proc/PID/exe. A (deleted) process is one that is running a binary that has
  1436. # the inode for the file removed from the file system directory. This usually
  1437. # happens when the binary has been replaced due to an upgrade for it by the OS
  1438. # vendor or another third party (e.g. cPanel). You need to investigate whether
  1439. # this is indeed the case to be sure that the original binary has not been
  1440. # replaced by a rootkit or is running an exploit.
  1441. #
  1442. # Note: If a deleted executable process is detected and reported then lfd will
  1443. # not report children of the parent (or the parent itself if a child triggered
  1444. # the report) if the parent is also a deleted executable process
  1445. #
  1446. # To stop lfd reporting such process you need to restart the daemon to which it
  1447. # belongs and therefore run the process using the replacement binary (presuming
  1448. # one exists). This will normally mean running the associated startup script in
  1449. # /etc/init.d/
  1450. #
  1451. # If you do want lfd to report deleted binary processes, set to 1
  1452. PT_DELETED = "0"
  1453.  
  1454. # If a PT_DELETED event is triggered, then if the following contains the path to
  1455. # a script, it will be run in a child process and passed the executable, pid,
  1456. # account for the process, and parent pid
  1457. #
  1458. # The action script must have the execute bit and interpreter (shebang) set. An
  1459. # example is provided in /usr/local/csf/bin/pt_deleted_action.pl
  1460. #
  1461. # WARNING: Make sure you read and understand the potential security
  1462. # implications of such processes in PT_DELETED above before simply restarting
  1463. # such processes with a script
  1464. PT_DELETED_ACTION = ""
  1465.  
  1466. # User Process Tracking. This option enables the tracking of the number of
  1467. # process any given account is running at one time. If the number of processes
  1468. # exceeds the value of the following setting an email alert is sent with
  1469. # details of those processes. If you specify a user in csf.pignore it will be
  1470. # ignored
  1471. #
  1472. # Set to 0 to disable this feature
  1473. PT_USERPROC = "10"
  1474.  
  1475. # This User Process Tracking option sends an alert if any linux user process
  1476. # exceeds the memory usage set (MB). To ignore specific processes or users use
  1477. # csf.pignore
  1478. #
  1479. # Set to 0 to disable this feature
  1480. PT_USERMEM = "200"
  1481.  
  1482. # This User Process Tracking option sends an alert if any linux user process
  1483. # exceeds the time usage set (seconds). To ignore specific processes or users
  1484. # use csf.pignore
  1485. #
  1486. # Set to 0 to disable this feature
  1487. PT_USERTIME = "1800"
  1488.  
  1489. # If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
  1490. # PT_USERPROC are killed
  1491. #
  1492. # Warning: We don't recommend enabling this option unless absolutely necessary
  1493. # as it can cause unexpected problems when processes are suddenly terminated.
  1494. # It can also lead to system processes being terminated which could cause
  1495. # stability issues. It is much better to leave this option disabled and to
  1496. # investigate each case as it is reported when the triggers above are breached
  1497. #
  1498. # Note: Processes that are running deleted excecutables (see PT_DELETED) will
  1499. # not be killed by lfd
  1500. PT_USERKILL = "0"
  1501.  
  1502. # If you want to disable email alerts if PT_USERKILL is triggered, then set
  1503. # this option to 0
  1504. PT_USERKILL_ALERT = "1"
  1505.  
  1506. # If a PT_* event is triggered, then if the following contains the path to
  1507. # a script, it will be run in a child process and passed the PID(s) of the
  1508. # process(es) in a comma separated list.
  1509. #
  1510. # The action script must have the execute bit and interpreter (shebang) set
  1511. PT_USER_ACTION = ""
  1512.  
  1513. # Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
  1514. # defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
  1515. # load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
  1516. # sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
  1517. # seconds has passed to prevent email floods.
  1518. #
  1519. # Set PT_LOAD to "0" to disable this feature
  1520. PT_LOAD = "30"
  1521. PT_LOAD_AVG = "5"
  1522. PT_LOAD_LEVEL = "6"
  1523. PT_LOAD_SKIP = "3600"
  1524.  
  1525. # This is the Apache Server Status URL used in the email alert. Requires the
  1526. # Apache mod_status module to be installed and configured correctly
  1527. PT_APACHESTATUS = "http://127.0.0.1/server-status"
  1528.  
  1529. # If a PT_LOAD event is triggered, then if the following contains the path to
  1530. # a script, it will be run in a child process. For example, the script could
  1531. # contain commands to terminate and restart httpd, php, exim, etc incase of
  1532. # looping processes. The action script must have the execute bit an
  1533. # interpreter (shebang) set
  1534. PT_LOAD_ACTION = ""
  1535.  
  1536. # Fork Bomb Protection. This option checks the number of processes with the
  1537. # same session id and if greater than the value set, the whole session tree is
  1538. # terminated and an alert sent
  1539. #
  1540. # You can see an example of common session id processes on most Linux systems
  1541. # using: "ps axf -O sid"
  1542. #
  1543. # On cPanel servers, PT_ALL_USERS should be enabled to use this option
  1544. # effectively
  1545. #
  1546. # This option will check root owned processes. Session id 0 and 1 will always
  1547. # be ignored as they represent kernel and init processes. csf.pignore will be
  1548. # honoured, but bear in mind that a session tree can contain a variety of users
  1549. # and executables
  1550. #
  1551. # Care needs to be taken to ensure that this option only detects runaway fork
  1552. # bombs, so should be set higher than any session tree is likely to get (e.g.
  1553. # httpd could have 100s of legitimate children on very busy systems). A
  1554. # sensible starting point on most servers might be 250
  1555. PT_FORKBOMB = "0"
  1556.  
  1557. # Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes
  1558. # are often left hung after their connecting IP addresses have been blocked
  1559. #
  1560. # This option will terminate all processes with the cmdline of "sshd: unknown
  1561. # [net]" or "sshd: unknown [priv]" if they have been running for more than 60
  1562. # seconds
  1563. #
  1564. # Note: It is possible that enabling this option may have adverse effects on
  1565. # valid SSHD processes. If this is the case, this option should be disabled
  1566. #
  1567. # Note: Due to the nature of this type of attack, no email reports are sent
  1568. # when the processes are terminated, however the event is logged in lfd.log
  1569. # with a line prefix of "*PT_SSHDHUNG*"
  1570. PT_SSHDHUNG = "0"
  1571.  
  1572. ###############################################################################
  1573. # SECTION:Port Scan Tracking
  1574. ###############################################################################
  1575. # Port Scan Tracking. This feature tracks port blocks logged by iptables to
  1576. # syslog. If an IP address generates a port block that is logged more than
  1577. # PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
  1578. #
  1579. # This feature could, for example, be useful for blocking hackers attempting
  1580. # to access the standard SSH port if you have moved it to a port other than 22
  1581. # and have removed 22 from the TCP_IN list so that connection attempts to the
  1582. # old port are being logged
  1583. #
  1584. # This feature blocks all iptables blocks from the iptables logs, including
  1585. # repeated attempts to one port or SYN flood blocks, etc
  1586. #
  1587. # Note: This feature will only track iptables blocks from the log file set in
  1588. # IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
  1589. # cause redundant blocking with DROP_IP_LOGGING enabled
  1590. #
  1591. # Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
  1592. # could very quickly fill the iptables rule chains and cause a DOS in itself.
  1593. # The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
  1594. # and the DENY_TEMP_IP_LIMIT with temporary blocks
  1595. #
  1596. # Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
  1597. # would be sensible to enable this feature
  1598. #
  1599. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1600. # this file about RESTRICT_SYSLOG before enabling this option:
  1601. PS_INTERVAL = "0"
  1602. PS_LIMIT = "10"
  1603.  
  1604. # You can specify the ports and/or port ranges that should be tracked by the
  1605. # Port Scan Tracking feature. The following setting is a comma separated list
  1606. # of those ports and uses the same format as TCP_IN. The default setting of
  1607. # 0:65535,ICMP,INVALID,OPEN covers all ports
  1608. #
  1609. # Special values are:
  1610. #   ICMP    - include ICMP blocks (see ICMP_*)
  1611. #   INVALID - include INVALID blocks (see PACKET_FILTER)
  1612. #   OPEN    - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
  1613. PS_PORTS = "0:65535,ICMP"
  1614.  
  1615. # To specify how many different ports qualifies as a Port Scan you can increase
  1616. # the following from the default value of 1. The risk in doing so will mean
  1617. # that persistent attempts to attack a specific closed port will not be
  1618. # detected and blocked
  1619. PS_DIVERSITY = "1"
  1620.  
  1621. # You can select whether IP blocks for Port Scan Tracking should be temporary
  1622. # or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
  1623. # blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
  1624. # temporarily block the IP address for
  1625. PS_PERMANENT = "0"
  1626. PS_BLOCK_TIME = "3600"
  1627.  
  1628. # Set the following to "1" to enable Port Scan Tracking email alerts, set to
  1629. # "0" to disable them
  1630. PS_EMAIL_ALERT = "1"
  1631.  
  1632. ###############################################################################
  1633. # SECTION:User ID Tracking
  1634. ###############################################################################
  1635. # User ID Tracking. This feature tracks UID blocks logged by iptables to
  1636. # syslog. If a UID generates a port block that is logged more than UID_LIMIT
  1637. # times within UID_INTERVAL seconds, an alert will be sent
  1638. #
  1639. # Note: This feature will only track iptables blocks from the log file set in
  1640. # IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.
  1641. #
  1642. # To ignore specific UIDs list them in csf.uidignore and then restart lfd
  1643. #
  1644. # Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300
  1645. # would be sensible to enable this feature
  1646. #
  1647. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1648. # this file about RESTRICT_SYSLOG before enabling this option:
  1649. UID_INTERVAL = "0"
  1650. UID_LIMIT = "10"
  1651.  
  1652. # You can specify the ports and/or port ranges that should be tracked by the
  1653. # User ID Tracking feature. The following setting is a comma separated list
  1654. # of those ports and uses the same format as TCP_OUT. The default setting of
  1655. # 0:65535,ICMP covers all ports
  1656. UID_PORTS = "0:65535,ICMP"
  1657.  
  1658. ###############################################################################
  1659. # SECTION:Account Tracking
  1660. ###############################################################################
  1661. # Account Tracking. The following options enable the tracking of modifications
  1662. # to the accounts on a server. If any of the enabled options are triggered by
  1663. # a modifications to an account, an alert email is sent. Only the modification
  1664. # is reported. The cause of the modification will have to be investigated
  1665. # manually
  1666. #
  1667. # You can set AT_ALERT to the following:
  1668. # 0 = disable this feature
  1669. # 1 = enable this feature for all accounts
  1670. # 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
  1671. # 3 = enable this feature only for the root account
  1672. AT_ALERT = "2"
  1673.  
  1674. # This options is the interval between checks in seconds
  1675. AT_INTERVAL = "60"
  1676.  
  1677. # Send alert if a new account is created
  1678. AT_NEW = "1"
  1679.  
  1680. # Send alert if an existing account is deleted
  1681. AT_OLD = "1"
  1682.  
  1683. # Send alert if an account password has changed
  1684. AT_PASSWD = "1"
  1685.  
  1686. # Send alert if an account uid has changed
  1687. AT_UID = "1"
  1688.  
  1689. # Send alert if an account gid has changed
  1690. AT_GID = "1"
  1691.  
  1692. # Send alert if an account login directory has changed
  1693. AT_DIR = "1"
  1694.  
  1695. # Send alert if an account login shell has changed
  1696. AT_SHELL = "1"
  1697.  
  1698. ###############################################################################
  1699. # SECTION:Integrated User Interface
  1700. ###############################################################################
  1701. # Integrated User Interface. This feature provides a HTML UI to csf and lfd,
  1702. # without requiring a control panel or web server. The UI runs as a sub process
  1703. # to the lfd daemon
  1704. #
  1705. # As it runs under the root account and successful login provides root access
  1706. # to the server, great care should be taken when configuring and using this
  1707. # feature. There are additional restrictions to enhance secure access to the UI
  1708. #
  1709. # See readme.txt for more information about using this feature BEFORE enabling
  1710. # it for security and access reasons
  1711. #
  1712. # 1 to enable, 0 to disable
  1713. UI = "0"
  1714.  
  1715. # Set this to the port that want to bind this service to. You should configure
  1716. # this port to be >1023 and different from any other port already being used
  1717. #
  1718. # Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
  1719. # to the port using Advanced Allow Filters (see readme.txt)
  1720. UI_PORT = "6666"
  1721.  
  1722. # Optionally set the IP address to bind to. Normally this should be left blank
  1723. # to bind to all IP addresses on the server.
  1724. #
  1725. # If the server is configured for IPv6 but the IP to bind to is IPv4, then the
  1726. # IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
  1727. # ::ffff:1.2.3.4
  1728. #
  1729. # Leave blank to bind to all IP addresses on the server
  1730. UI_IP = ""
  1731.  
  1732. # This should be a secure, hard to guess username
  1733. #
  1734. # This must be changed from the default
  1735. UI_USER = "username"
  1736.  
  1737. # This should be a secure, hard to guess password. That is, at least 8
  1738. # characters long with a mixture of upper and lowercase characters plus
  1739. # numbers and non-alphanumeric characters
  1740. #
  1741. # This must be changed from the default
  1742. UI_PASS = "password"
  1743.  
  1744. # This is the login session timeout. If there is no activity for a logged in
  1745. # session within this number of seconds, the session will timeout and a new
  1746. # login will be required
  1747. #
  1748. # For security reasons, you should always keep this option low (i.e 60-300)
  1749. UI_TIMEOUT = "300"
  1750.  
  1751. # This is the maximum concurrent connections allowed to the server. The default
  1752. # value should be sufficient
  1753. UI_CHILDREN = "5"
  1754.  
  1755. # The number of login retries allowed within a 24 hour period. A successful
  1756. # login from the IP address will clear the failures
  1757. #
  1758. # For security reasons, you should always keep this option low (i.e 0-10)
  1759. UI_RETRY = "5"
  1760.  
  1761. # If enabled, this option will add the connecting IP address to the file
  1762. # /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
  1763. # able to login to the UI while it is listed in this file. The UI_BAN setting
  1764. # does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
  1765. # csf.ignore, etc.
  1766. #
  1767. # For security reasons, you should always enable this option
  1768. UI_BAN = "1"
  1769.  
  1770. # If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will
  1771. # be allowed to login to the UI. The UI_ALLOW setting does not refer to any of
  1772. # the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.
  1773. #
  1774. # For security reasons, you should always enable this option and use ui.allow
  1775. UI_ALLOW = "1"
  1776.  
  1777. # If enabled, this option will trigger an iptables block through csf after
  1778. # UI_RETRY login failures
  1779. #
  1780. # 0 = no block;1 = perm block;nn=temp block for nn secs
  1781. UI_BLOCK = "1"
  1782.  
  1783. # This controls what email alerts are sent with regards to logins to the UI. It
  1784. # uses the uialert.txt template
  1785. #
  1786. # 4 = login success + login failure/ban/block + login attempts
  1787. # 3 = login success + login failure/ban/block
  1788. # 2 = login failure/ban/block
  1789. # 1 = login ban/block
  1790. # 0 = disabled
  1791. UI_ALERT = "4"
  1792.  
  1793. # This is the SSL cipher list that the Integrated UI will negotiate from
  1794. UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"
  1795.  
  1796. # This is the SSL protocol version used. See IO::Socket::SSL if you wish to
  1797. # change this and to understand the implications of changing it
  1798. UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"
  1799.  
  1800. # If cxs is installed then enabling this option will provide a dropdown box to
  1801. # switch between applications
  1802. UI_CXS = "0"
  1803.  
  1804. # There is a modified installation of ConfigServer Explorer (cse) provided with
  1805. # the csf distribution. If this option is enabled it will provide a dropdown
  1806. # box to switch between applications
  1807. UI_CSE = "0"
  1808.  
  1809. ###############################################################################
  1810. # SECTION:Messenger service
  1811. ###############################################################################
  1812. # Messenger service. This feature allows the display of a message to a blocked
  1813. # connecting IP address to inform the user that they are blocked in the
  1814. # firewall. This can help when users get themselves blocked, e.g. due to
  1815. # multiple login failures. The service is provided by two daemons running on
  1816. # ports providing either an HTML or TEXT message.
  1817. #
  1818. # This feature does not work on servers that do not have the iptables module
  1819. # ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
  1820. # server admins should check with their VPS host provider that the iptables
  1821. # module is included.
  1822. #
  1823. # For further information on features and limitations refer to the csf
  1824. # readme.txt
  1825. #
  1826. # Note: Run /etc/csf/csftest.pl to check whether this option will function on
  1827. # this server
  1828. #
  1829. # 1 to enable, 0 to disable
  1830. MESSENGER = "0"
  1831.  
  1832. # Provide this service to temporary IP address blocks
  1833. MESSENGER_TEMP = "1"
  1834.  
  1835. # Provide this service to permanent IP address blocks
  1836. MESSENGER_PERM = "1"
  1837.  
  1838. # User account to run the service servers under. We recommend creating a
  1839. # specific non-priv, non-shell account for this purpose
  1840. MESSENGER_USER = "csf"
  1841.  
  1842. # This is the maximum concurrent connections allowed to each service server
  1843. MESSENGER_CHILDREN = "10"
  1844.  
  1845. # Set this to the port that will receive the HTML message. You should configure
  1846. # this port to be >1023 and different from the TEXT port. Do NOT enable access
  1847. # to this port in TCP_IN
  1848. MESSENGER_HTML = "8888"
  1849.  
  1850. # This comma separated list are the HTML ports that will be redirected for the
  1851. # blocked IP address. If you are using per application blocking (LF_TRIGGER)
  1852. # then only the relevant block port will be redirected to the messenger port
  1853. MESSENGER_HTML_IN = "80,2082,2095"
  1854.  
  1855. # Set this to the port that will receive the TEXT message. You should configure
  1856. # this port to be >1023 and different from the HTML port. Do NOT enable access
  1857. # to this port in TCP_IN
  1858. MESSENGER_TEXT = "8889"
  1859.  
  1860. # This comma separated list are the TEXT ports that will be redirected for the
  1861. # blocked IP address. If you are using per application blocking (LF_TRIGGER)
  1862. # then only the relevant block port will be redirected to the messenger port
  1863. MESSENGER_TEXT_IN = "21"
  1864.  
  1865. # These settings limit the rate at which connections can be made to the
  1866. # messenger service servers. Its intention is to provide protection from
  1867. # attacks or excessive connections to the servers. If the rate is exceeded then
  1868. # iptables will revert for the duration to the normal blocking actiity
  1869. #
  1870. # See the iptables man page for the correct --limit rate syntax
  1871. MESSENGER_RATE = "30/m"
  1872. MESSENGER_BURST = "5"
  1873.  
  1874. ###############################################################################
  1875. # SECTION:lfd Clustering
  1876. ###############################################################################
  1877. # lfd Clustering. This allows the configuration of an lfd cluster environment
  1878. # where a group of servers can share blocks and configuration option changes.
  1879. # Included are CLI and UI options to send requests to the cluster.
  1880. #
  1881. # See the readme.txt file for more information and details on setup and
  1882. # security risks.
  1883. #
  1884. # Comma separated list of cluster member IP addresses to send requests to
  1885. CLUSTER_SENDTO = ""
  1886.  
  1887. # Comma separated list of cluster member IP addresses to receive requests from
  1888. CLUSTER_RECVFROM = ""
  1889.  
  1890. # IP address of the master node in the cluster allowed to send CLUSTER_CONFIG
  1891. # changes
  1892. CLUSTER_MASTER = ""
  1893.  
  1894. # If this is a NAT server, set this to the public IP address of this server
  1895. CLUSTER_NAT = ""
  1896.  
  1897. # If a cluster member should send requests on an IP other than the default IP,
  1898. # set it here
  1899. CLUSTER_LOCALADDR = ""
  1900.  
  1901. # Cluster communication port (must be the same on all member servers). There
  1902. # is no need to open this port in the firewall as csf will automatically add
  1903. # in and out bound rules to allow communication between cluster members
  1904. CLUSTER_PORT = "7777"
  1905.  
  1906. # This is a secret key used to encrypt cluster communications using the
  1907. # Blowfish algorithm. It should be between 8 and 56 characters long,
  1908. # preferably > 20 random characters
  1909. # 56 chars:    01234567890123456789012345678901234567890123456789012345
  1910. CLUSTER_KEY = ""
  1911.  
  1912. # Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those
  1913. # servers must have this servers IP address listed in their CLUSTER_RECVFROM
  1914. #
  1915. # Set to 0 to disable this feature
  1916. CLUSTER_BLOCK = "1"
  1917.  
  1918. # This option allows the enabling and disabling of the Cluster configuration
  1919. # changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the
  1920. # CLUSTER_MASTER server
  1921. #
  1922. # Set this option to 1 to allow Cluster configurations to be received
  1923. CLUSTER_CONFIG = "0"
  1924.  
  1925. # Maximum number of child processes to listen on. High blocking rates or large
  1926. # clusters may need to increase this
  1927. CLUSTER_CHILDREN = "10"
  1928.  
  1929. ###############################################################################
  1930. # SECTION:Port Knocking
  1931. ###############################################################################
  1932. # Port Knocking. This feature allows port knocking to be enabled on multiple
  1933. # ports with a variable number of knocked ports and a timeout. There must be a
  1934. # minimum of 3 ports to knock for an entry to be valid
  1935. #
  1936. # See the following for information regarding Port Knocking:
  1937. # http://www.portknocking.org/
  1938. #
  1939. # This feature does not work on servers that do not have the iptables module
  1940. # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
  1941. # server admins should check with their VPS host provider that the iptables
  1942. # module is included
  1943. #
  1944. # For further information and syntax refer to the Port Knocking section of the
  1945. # csf readme.txt
  1946. #
  1947. # Note: Run /etc/csf/csftest.pl to check whether this option will function on
  1948. # this server
  1949. #
  1950. # openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...
  1951. # e.g.: 22;TCP;20;100;200;300;400
  1952. PORTKNOCKING = ""
  1953.  
  1954. # Enable PORTKNOCKING logging by iptables
  1955. PORTKNOCKING_LOG = "1"
  1956.  
  1957. # Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
  1958. # also be enabled to use this option
  1959. #
  1960. # SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
  1961. # this file about RESTRICT_SYSLOG before enabling this option:
  1962. PORTKNOCKING_ALERT = "0"
  1963.  
  1964. ###############################################################################
  1965. # SECTION:Log Scanner
  1966. ###############################################################################
  1967. # Log Scanner. This feature will send out an email summary of the log lines of
  1968. # each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
  1969. # they match a regular expression in /etc/csf/csf.logignore
  1970. #
  1971. # File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
  1972. # be aware that the more files lfd has to track, the greater the performance
  1973. # hit. Note: File globs are only evaluated when lfd is started
  1974. #
  1975. # Note: lfd builds the report continuously from lines logged after lfd has
  1976. # started, so any lines logged when lfd is not running will not be reported
  1977. # (e.g. during reboot). If lfd is restarted, then the report will include any
  1978. # lines logged during the previous lfd logging period that weren't reported
  1979. #
  1980. # 1 to enable, 0 to disable
  1981. LOGSCANNER = "0"
  1982.  
  1983. # This is the interval each report will be sent based on the logalert.txt
  1984. # template
  1985. #
  1986. # The interval can be set to:
  1987. # "hourly" - sent on the hour
  1988. # "daily"  - sent at midnight (00:00)
  1989. # "manual" - sent whenever "csf --logrun" is run. This allows for scheduling
  1990. #            via cron job
  1991. LOGSCANNER_INTERVAL = "hourly"
  1992.  
  1993. # Report Style
  1994. # 1 = Separate chronological log lines per log file
  1995. # 2 = Simply chronological log of all lines
  1996. LOGSCANNER_STYLE = "1"
  1997.  
  1998. # Send the report email even if no log lines reported
  1999. # 1 to enable, 0 to disable
  2000. LOGSCANNER_EMPTY = "1"
  2001.  
  2002. # Maximum number of lines in the report before it is truncated. This is to
  2003. # prevent log lines flooding resulting in an excessively large report. This
  2004. # might need to be increased if you choose a daily report
  2005. LOGSCANNER_LINES = "5000"
  2006.  
  2007. ###############################################################################
  2008. # SECTION:Statistics Settings
  2009. ###############################################################################
  2010. # Statistics
  2011. #
  2012. # Some of the Statistics output requires the gd graphics library and the
  2013. # GD::Graph perl module with all dependent modules to be installed for the UI
  2014. # for them to be displayed
  2015. #
  2016. # This option enabled statistical data gathering
  2017. ST_ENABLE = "1"
  2018.  
  2019. # This option determines how many iptables log lines to store for reports
  2020. ST_IPTABLES = "100"
  2021.  
  2022. # This option indicates whether rDNS and CC lookups are performed at the time
  2023. # the log line is recorded (this is not performed when viewing the reports)
  2024. #
  2025. # Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
  2026. # then enabling this setting could cause serious performance problems
  2027. ST_LOOKUP = "0"
  2028.  
  2029. # This option will gather basic system statstics. Through the UI it displays
  2030. # various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
  2031. #  . Hourly (per minute)
  2032. #  . 24 hours (per minute)
  2033. #  . 7 days (per minute averaged over an hour)
  2034. #  . 30 days (per minute averaged over an hour) - user definable
  2035. # The data is stored in /var/lib/csf/stats/system and the option requires the
  2036. # perl GD::Graph module
  2037. #
  2038. # Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
  2039. # those systems do not store the required information in /proc/diskstats
  2040. # On new installations or when enabling this option it will take time for these
  2041. # graphs to be populated
  2042. ST_SYSTEM = "0"
  2043.  
  2044. # Set the maximum days to collect statistics for. The default is 30 days, the
  2045. # more data that is collected the longer it will take for each of the graphs to
  2046. # be generated
  2047. ST_SYSTEM_MAXDAYS = "30"
  2048.  
  2049. # If ST_SYSTEM is enabled, then these options can collect MySQL statistical
  2050. # data. To use this option the server must have the perl modules DBI and
  2051. # DBD::mysql installed.
  2052. #
  2053. # Set this option to "0" to disable MySQL data collection
  2054. ST_MYSQL = "0"
  2055.  
  2056. # The following options are for authentication for MySQL data collection. If
  2057. # the password is left blank and the user set to "root" then the procedure will
  2058. # look for authentication data in /root/.my.cnf. Otherwise, you will need to
  2059. # provide a MySQL username and password to collect the data. Any MySQL user
  2060. # account can be used
  2061. ST_MYSQL_USER = "root"
  2062. ST_MYSQL_PASS = ""
  2063. ST_MYSQL_HOST = "localhost"
  2064.  
  2065. # If ST_SYSTEM is enabled, then this option can collect Apache statistical data
  2066. # The value for PT_APACHESTATUS must be correctly set
  2067. ST_APACHE = "0"
  2068.  
  2069. # The following options measure disk write performance using dd (location set
  2070. # via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and
  2071. # the statistics will plot the MB/s response time of the disk. As this is an IO
  2072. # intensive operation, it may not be prudent to run this test too often, so by
  2073. # default it is only run every 5 minutes and the result duplicated for each
  2074. # intervening minute for the statistics
  2075. #
  2076. # This is not necessrily a good measure of disk performance, primarily because
  2077. # the measurements are for relatively small amounts of data over a small amount
  2078. # of time. To properly test disk performance there are a variety of tools
  2079. # available that should be run for extended periods of time to obtain an
  2080. # accurate measurement. This metric is provided to give an idea of how the disk
  2081. # is performing over time
  2082. #
  2083. # Note: There is a 15 second timeout performing the check
  2084. #
  2085. # Set to 0 to disable, 1 to enable
  2086. ST_DISKW = "0"
  2087.  
  2088. # The number of minutes that elapse between tests. Default is 5, minimum is 1.
  2089. ST_DISKW_FREQ = "5"
  2090.  
  2091. # This is the command line passed to dd. If you are familiar with dd, or wish
  2092. # to move the output file (of) to a different disk, then you can alter this
  2093. # command. Take great care when making any changes to this command as it is
  2094. # very easy to overwrite a disk using dd if you make a mistake
  2095. ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync"
  2096.  
  2097. ###############################################################################
  2098. # SECTION:OS Specific Settings
  2099. ###############################################################################
  2100. # Binary locations
  2101. IPTABLES = "/sbin/iptables"
  2102. IPTABLES_SAVE = "/sbin/iptables-save"
  2103. IPTABLES_RESTORE = "/sbin/iptables-restore"
  2104. IP6TABLES = "/sbin/ip6tables"
  2105. IP6TABLES_SAVE = "/sbin/ip6tables-save"
  2106. IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
  2107. MODPROBE = "/sbin/modprobe"
  2108. IFCONFIG = "/sbin/ifconfig"
  2109. SENDMAIL = "/usr/sbin/sendmail"
  2110. PS = "/bin/ps"
  2111. VMSTAT = "/usr/bin/vmstat"
  2112. NETSTAT = "/bin/netstat"
  2113. LS = "/bin/ls"
  2114. MD5SUM = "/usr/bin/md5sum"
  2115. TAR = "/bin/tar"
  2116. CHATTR = "/usr/bin/chattr"
  2117. UNZIP = "/usr/bin/unzip"
  2118. GUNZIP = "/bin/gunzip"
  2119. DD = "/bin/dd"
  2120. TAIL = "/usr/bin/tail"
  2121. GREP = "/bin/grep"
  2122. IPSET = "/usr/sbin/ipset"
  2123. SYSTEMCTL = "/usr/bin/systemctl"
  2124. HOST = "/usr/bin/host"
  2125.  
  2126. # Log file locations
  2127. #
  2128. # File globbing is allowed for the following logs. However, be aware that the
  2129. # more files lfd has to track, the greater the performance hit
  2130. #
  2131. # Note: File globs are only evaluated when lfd is started
  2132. #
  2133. HTACCESS_LOG = "/var/log/httpd/error_log"
  2134. MODSEC_LOG = "/var/log/httpd/error_log"
  2135. SSHD_LOG = "/var/log/secure"
  2136. SU_LOG = "/var/log/secure"
  2137. FTPD_LOG = "/var/log/messages"
  2138. SMTPAUTH_LOG = "/var/log/secure"
  2139. POP3D_LOG = "/var/log/maillog"
  2140. IMAPD_LOG = "/var/log/maillog"
  2141. IPTABLES_LOG = "/var/log/messages"
  2142. SUHOSIN_LOG = "/var/log/messages"
  2143. BIND_LOG = "/var/log/messages"
  2144. SYSLOG_LOG = "/var/log/messages"
  2145. WEBMIN_LOG = "/var/log/secure"
  2146.  
  2147. CUSTOM1_LOG = "/var/log/customlog"
  2148. CUSTOM2_LOG = "/var/log/customlog"
  2149. CUSTOM3_LOG = "/var/log/customlog"
  2150. CUSTOM4_LOG = "/var/log/customlog"
  2151. CUSTOM5_LOG = "/var/log/customlog"
  2152. CUSTOM6_LOG = "/var/log/customlog"
  2153. CUSTOM7_LOG = "/var/log/customlog"
  2154. CUSTOM8_LOG = "/var/log/customlog"
  2155. CUSTOM9_LOG = "/var/log/customlog"
  2156.  
  2157. # The following are comma separated lists used if LF_SELECT is enabled,
  2158. # otherwise they are not used. They are derived from the application returned
  2159. # from a regex match in /usr/local/csf/bin/regex.pm
  2160. #
  2161. # All ports default to tcp blocks. To specify udp or tcp use the format:
  2162. # port;protocol,port;protocol,... For example, "53;udp,53;tcp"
  2163. PORTS_pop3d = "110,995"
  2164. PORTS_imapd = "143,993"
  2165. PORTS_htpasswd = "80,443"
  2166. PORTS_mod_security = "80,443"
  2167. PORTS_mod_qos = "80,443"
  2168. PORTS_symlink = "80,443"
  2169. PORTS_suhosin = "80,443"
  2170. PORTS_cxs = "80,443"
  2171. PORTS_bind = "53;udp,53;tcp"
  2172. PORTS_ftpd = "20,21"
  2173. PORTS_webmin = "10000"
  2174. PORTS_smtpauth = "25,465,587"
  2175. PORTS_eximsyntax = "25,465,587"
  2176. # This list is replaced, if present, by "Port" definitions in
  2177. # /etc/ssh/sshd_config
  2178. PORTS_sshd = "22"
  2179.  
  2180. # This configuration is for use with generic Linux servers, do not change the
  2181. # following setting:
  2182. GENERIC = "1"
  2183.  
  2184. # If you find ever increasing numbers of zombie lfd processes you may need to
  2185. # revert to the old child reaper code by enabling this option
  2186. OLD_REAPER = "0"
  2187.  
  2188. # For internal use only. You should not enable this option as it could cause
  2189. # instability in csf and lfd
  2190. DEBUG = "0"
  2191. ###############################################################################
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top