############################################################################### # Copyright 2006-2009, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # Testing flag - enables a CRON job that clears iptables incase of # configuration problems when you start csf. This should be enabled until you # are sure that the firewall works - i.e. incase you get locked out of your # server! Then do remember to set it to 0 and restart csf when you're sure # everything is OK. Stopping csf will remove the line from /etc/crontab TESTING = "0" # The interval for the crontab in minutes. Since this uses the system clock the # CRON job will run at the interval past the hour and not from when you issue # the start command. Therefore an interval of 5 minutes means the firewall # will be cleared in 0-5 minutes from the firewall start TESTING_INTERVAL = "5" # Enabling auto updates creates a cron job called /etc/cron.d/csf_update which # runs once per day to see if there is an update to csf+lfd and upgrades if # available and restarts csf and lfd. Updates do not overwrite configuration # files or email templates. An email will be sent to the root account if an # update is performed AUTO_UPDATES = "1" # By default, csf will auto-configure iptables to filter all traffic except on # the local (lo:) device. If you only want iptables rules applied to a specific # NIC, then list it here (e.g. eth1, or eth+) ETH_DEVICE = "" # If you don't want iptables rules applied to specific NICs, then list them in # a comma separated list (e.g "eth1,eth2") ETH_DEVICE_SKIP = "" # Lists of ports in the following comma separated lists can be added using a # colon (e.g. 30000:35000). # Allow incoming TCP ports TCP_IN = "20,21,1702,25,53,80,110,143,443,465,953,993,995,2077,2078,2082,2083,2086,2087,2095,2096,465,26,1863,3306,30000" # Allow outgoing TCP ports TCP_OUT = "20,21,1702,25,37,43,53,80,110,113,443,587,873,953,2087,2089,2703,465,995,26,1863,2077,2078,3306,30000" # Allow incoming UDP ports UDP_IN = "20,21,53,953,26" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "20,21,53,113,123,873,953,6277,26" # Allow incoming PING ICMP_IN = "1" # Set the per IP address incoming ICMP packet rate # To disable rate limiting set to "0" ICMP_IN_RATE = "1/s" # Allow outgoing PING ICMP_OUT = "1" # Set the per IP address outgoing ICMP packet rate (hits per second allowed), # e.g. "1/s" # # Recommend disabling on cPanel servers as cPanel uses ping test to determine # fastest mirrors for various functions # # To disable rate limiting set to "0" ICMP_OUT_RATE = "1/s" # Block outgoing SMTP except for root, exim and mailman (forces scripts/users # to use the exim/sendmail binary instead of sockets access). This replaces the # protection as WHM > Tweak Settings > SMTP Tweaks # # This option uses the iptables ipt_owner module and must be loaded for it to # work. It may not be available on some VPS platforms # # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server SMTP_BLOCK = "1" # If SMTP_BLOCK is enabled but you want to allow local connections to port 25 # on the server (e.g. for webmail or web scripts) then enable this option to # allow outgoing SMTP connections to 127.0.0.1 SMTP_ALLOWLOCAL = "1" # This is a comma separated list of the ports to block. You should list all # ports that exim is configured to listen on SMTP_PORTS = "25" # Drop target for iptables rules. This can be set to either DROP ot REJECT. # REJECT will send back an error packet, DROP will not respond at all. REJECT # is more polite, however it does provide extra information to a hacker and # lets them know that a firewall is blocking their attempts. DROP hangs their # connection, thereby frustrating attempts to port scan the server. DROP = "DROP" # Enable logging of dropped connections to blocked ports to syslog, usually # /var/log/messages. This option needs to be enabled to use Port Scan Tracking DROP_LOGGING = "1" # Enable logging of dropped connections to blocked IP addresses in csf.deny or # by lfd with temporary connection tracking blocks. Do not enable this option # if you use Port Scan Tracking DROP_IP_LOGGING = "0" # Only log reserved port dropped connections (0:1023). Useful since you're not # usually bothered about ephemeral port drops DROP_ONLYRES = "0" # Commonly blocked ports that you do not want logging as they tend to just fill # up the log file. These ports are specifically blocked (applied to TCP and UDP # protocols) for incoming connections DROP_NOLOG = "67,68,111,113,135:139,445,513,520" # Enable packet filtering for unwanted or illegal packets PACKET_FILTER = "1" # Log packets dropped by the packet filtering option PACKET_FILTER. This will # show packet drops that iptables has deemed INVALID (i.e. there is no # established TCP connection in the state table), or if the TCP flags in the # packet are out of sequence or illegal in the protocol exchange. # # If you see packets being dropped that you would rather allow then disable the # PACKET_FILTER option above by setting it to "0" DROP_PF_LOGGING = "0" # Enable SYN Flood Protection. This option configures iptables to offer some # protection from tcp SYN packet DOS attempts. You should set the RATE so that # false-positives are kept to a minimum otherwise visitors may see connection # issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables # man page for the correct --limit rate syntax SYNFLOOD = "1" SYNFLOOD_RATE = "300/s" SYNFLOOD_BURST = "350" # Port Flood Protection. This option configures iptables to offer protection # from DOS attacks against specific ports. This option limits the number of # connections per time interval that new connections can be made to specific # ports # # This feature does not work on servers that do not have the iptables module # ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS # server admins should check with their VPS host provider that the iptables # module is included # # For further information and syntax refer to the Port Flood section of the csf # readme.txt # # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server PORTFLOOD = "" # Enable verbose output of iptables commands VERBOSE = "1" # Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the # perl module Sys::Syslog installed to use this feature SYSLOG = "0" # Enable this option if you wish to allow access from all IP's that have # authenticated using POP before SMTP (i.e. are valid clients). This option # checks for IP addresses in /etc/relayhosts, which last for 30 minutes in that # file after a successful POP authentication. # # Set the value to 0 to disable the feature RELAYHOSTS = "1" # Enable this option if you want lfd to ignore (i.e. don't block) IP addresses # listed in csf.allow in addition to csf.ignore (the default). This option # should be used with caution as it would mean that IP's allowed through the # firewall from infected PC's could launch attacks on the server that lfd # would ignore IGNORE_ALLOW = "0" # Enable the following option if you want to apply strict iptables rules to DNS # traffic (i.e. relying on iptables connection tracking). Enabling this option # could cause DNS resolution issues both to and from the server but could help # prevent abuse of the local DNS server DNS_STRICT = "0" # Limit the number of IP's kept in the /etc/csf/csf.deny file. This can be # important as a large number of IP addresses create a large number of iptables # rules (4 times the number of IP's) which can cause problems on some systems # where either the the number of iptables entries has been limited (esp VPS's) # or where resources are limited. This can result in slow network performance, # or, in the case of iptables entry limits, can prevent your server from # booting as not all the required iptables chain settings will be correctly # configured. The value set here is the maximum number of IPs/CIDRs allowed # if the limit is reached, the entries will be rotated so that the oldest # entries (i.e. the ones at the top) will be removed and the latest is added. # The limit is only checked when using csf -d (which is what lfd also uses) # Set to 0 to disable limiting DENY_IP_LIMIT = "100" # Limit the number of IP's kept in the temprary IP ban list. If the limit is # reached the oldest IP's in the ban list will be removed and allowed # regardless of the amount of time remaining for the block # Set to 0 to disable limiting DENY_TEMP_IP_LIMIT = "100" # Enable login failure detection daemon (lfd). If set to 0 none of the # following settings will have any effect as the daemon won't start. LF_DAEMON = "1" # By default, lfd will send alert emails using the relevant alert template to # the To: address configured within that template. Setting the following # option will override the configured To: field in all lfd alert emails # # Leave this option empty to use the To: field setting in each alert template LF_ALERT_TO = "" # By default, lfd will send alert emails using the relevant alert template from # the From: address configured within that template. Setting the following # option will override the configured From: field in all lfd alert emails # # Leave this option empty to use the From: field setting in each alert template LF_ALERT_FROM = "" # Block Reporting. lfd can run an external script when it performs and IP # address block following for example a login failure. The following setting # is to the full path of the external script which must be executable. See # readme.txt for format details # # Leave this setting blank to disable BLOCK_REPORT = "" # Send an alert if log file flooding is detected which causes lfd to skip log # lines to prevent lfd from looping. If this alert is sent you should check the # reported log file for the reason for the flooding LOGFLOOD_ALERT = "0" # Temporary to Permanent IP blocking. The following enables this feature to # permanently block IP addresses that have been temporarily blocked more than # LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set # LF_PERMBLOCK to "1" to enable this feature # # Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be # at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting # (TTL) for blocked IPs, to be effective # # Set LF_PERMBLOCK to "0" to disable this feature LF_PERMBLOCK = "1" LF_PERMBLOCK_INTERVAL = "86400" LF_PERMBLOCK_COUNT = "10" # Permanently block IPs by network class. The following enables this feature # to permanently block classes of IP address where individual IP addresses # within the same class LF_NETBLOCK_CLASS have already been blocked more than # LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set # LF_NETBLOCK to "1" to enable this feature # # This can be an affective way of blocking DDOS attacks launched from within # the same networ class # # Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and # consideration is required when blocking network classes A or B # # Set LF_NETBLOCK to "0" to disable this feature LF_NETBLOCK = "0" LF_NETBLOCK_INTERVAL = "86400" LF_NETBLOCK_COUNT = "4" LF_NETBLOCK_CLASS = "C" # Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*, # SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new # chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT # chain, then flush and delete the old dynamic chain and rename the new chain. # # This prevents a small window of opportunity opening when an update occurs and # the dynamic chain is flushed for the new rules. # # This option should not be enabled on servers with long dynamic chains (e.g. # CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on # Virtuozzo VPS servers with a restricted numiptent value. This is because each # chain will effectively be duplicated while the update occurs, doubling the # number of iptables rules SAFECHAINUPDATE = "0" # If you wish to allow access from dynamic DNS records (for example if your IP # address changes whenever you connect to the internet but you have a dedicated # dynamic DNS record from the likes of dyndns.org) then you can list the FQDN # records in csf.dyndns and then set the following to the number of seconds to # poll for a change in the IP address. If the IP address has changed iptables # will be updated. # # A setting of 600 would check for IP updates every 10 minutes. Set the value # to 0 to disable the feature DYNDNS = "0" # To always ignore DYNDNS IP addresses in lfd blocking, set the following # option to 1 DYNDNS_IGNORE = "0" # The follow Global options allow you to specify a URL where csf can grab a # centralised copy of an IP allow or deny block list of your own. You need to # specify the full URL in the following options, i.e.: # http://www.somelocation.com/allow.txt # # The actual retrieval of these IP's is controlled by lfd, so you need to set # LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd # will perform the retrieval when it runs and then again at the specified # interval. A sensible interval would probably be every 3600 seconds (1 hour) # # You do not have to specify both an allow and a deny file # # You can also configure a global ignore file for IP's that lfd should ignore GLOBAL_ALLOW = "" GLOBAL_DENY = "" GLOBAL_IGNORE = "" LF_GLOBAL = "" # Country Code to CIDR allow/deny. In the following two options you can allow # or deny whole country CIDR ranges. The CIDR blocks are downloaded from # http://iplocationtools.com and entirely rely on that service being available. # Specify the the two-letter ISO Country Code(s). The iptables rules are for # incoming connections only # # Warning: These lists are never 100% accurate and some ISP's (e.g. AOL) use # non-geographic IP address designations for their clients # # Warning: Some of the CIDR lists are huge and each one requires a rule within # the incoming iptables chain. This can result in significant performance # overheads and could render the server inaccessible in some circumstances. For # this reason (amongst others) we do not recommend using these options # # Warning: Due to the resource constraints on VPS servers this feature should # not be used on such systems unless you choose very small CC zones # # Warning: CC_ALLOW allows access through all ports in the firewall. For this # reason CC_ALLOW probably has very limited use # # If you use this feature you should consider a donation to: # http://iplocationtools.com/donate.php # # Each option is a comma separated list of CC's, e.g. "US,GB,DE" CC_DENY = "" CC_ALLOW = "" # This option tells lfd how often to retrieve the CC CIDR's required for # CC_ALLOW and CC_DENY (in days) CC_INTERVAL = "7" # Enable IP range blocking using the DShield Block List at # http://www.dshield.org/diary.html?storyid=4483 # To enable this feature, set the following to the interval in seconds that you # want the block list updated. The list is reasonably static during the length # of a day, so it would be appropriate to only update once every 24 hours, so # a value of "86400" is recommended LF_DSHIELD = "86400" # The DShield block list URL. If you change this to something else be sure it # is in the same format as the block list LF_DSHIELD_URL = "http://feeds.dshield.org/block.txt" # Enable IP range blocking using the Spamhaus DROP List at # http://www.spamhaus.org/drop/index.lasso # To enable this feature, set the following to the interval in seconds that you # want the block list updated. The list is reasonably static during the length # of a day, so it would be appropriate to only update once every 24 hours, so # a value of "86400" is recommended LF_SPAMHAUS = "86400" # The Spamhaus DROP List URL. If you change this to something else be sure it # is in the same format as the drop list LF_SPAMHAUS_URL = "http://www.spamhaus.org/drop/drop.lasso" # Enable IP range blocking using the BOGON List at # http://www.cymru.com/Bogons/ # To enable this feature, set the following to the interval in seconds that you # want the block list updated. The list is reasonably static during the length # of a day, so it would be appropriate to only update once every 24 hours, so # a value of "86400" is recommended # # Do NOT use this option if your server uses IP's on the bogon list (e.g. this # is often the case with servers behind a NAT firewall using ip routing) LF_BOGON = "86400" # The BOGON List URL. If you change this to something else be sure it # is in the same format as the drop list LF_BOGON_URL = "http://www.cymru.com/Documents/bogon-bn-agg.txt" # The following[*] triggers are application specific. If you set LF_TRIGGER to # "0" the value of each trigger is the number of failures against that # application that will trigger lfd to block the IP address # # If you set LF_TRIGGER to a value greater than "0" then the following[*] # application triggers are simply on or off ("0" or "1") and the value of # LF_TRIGGER is the total cumulative number of failures that will trigger lfd # to block the IP address # # Setting the application trigger to "0" disables it LF_TRIGGER = "20" # If LF_TRIGGER is > 1 then the following can be set to "1" to permanently # block the IP address, or if set to a value greater than "1" then the IP # address will be blocked temporarily for the value in seconds. For example: # LF_TRIGGER_PERM = "1" => the IP is blocked permanently # LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour # # If LF_TRIGGER is 0, then the application LF_[application]_PERM value works in # the same way as above LF_TRIGGER_PERM = "3600" # To only block access to the failed application instead of a complete block # for an ip address, you can set the following to "1", but LF_TRIGGER must be # set to "0" with specific application[*] trigger levels also set LF_SELECT = "0" # Send an email alert if an IP address is blocked by one of the [*] triggers LF_EMAIL_ALERT = "1" # [*]Enable login failure detection of sshd connections LF_SSHD = "5" LF_SSHD_PERM = "1" # [*]Enable login failure detection of pure-ftpd connections LF_FTPD = "10" LF_FTPD_PERM = "1" # [*]Enable login failure detection of SMTP AUTH connections LF_SMTPAUTH = "5" LF_SMTPAUTH_PERM = "1" # [*]Enable login failure detection of courier pop3 connections. This will not # trap the older cppop daemon LF_POP3D = "10" LF_POP3D_PERM = "1" # [*]Enable login failure detection of courier imap connections. This will not # trap the older cpimap (uwimap) daemon LF_IMAPD = "10" LF_IMAPD_PERM = "1" # [*]Enable login failure detection of Apache .htpasswd connections # Due to the often high logging rate in the Apache error log, you might want to # enable this option only if you know you are suffering from attacks against # password protected directories LF_HTACCESS = "5" LF_HTACCESS_PERM = "1" # [*]Enable failure detection of Apache mod_security triggers # Due to the often high logging rate in the Apache error log, you might want to # enable this option only if you know you are suffering from attacks against # web scripts LF_MODSEC = "5" LF_MODSEC_PERM = "1" # [*]Enable login failure detection of cpanel, webmail and whm connections LF_CPANEL = "5" LF_CPANEL_PERM = "1" # [*]Enable detection of suhosin triggers and blocking of attackers # Example: LF_SUHOSIN = "5" LF_SUHOSIN = "5" LF_SUHOSIN_PERM = "1" # Check that csf appears to have been stopped. This checks the status of the # iptables INPUT chain. If it's not set to DROP, LF will run csf. This will not # happen if TESTING is enabled above. The check is done every 300 seconds LF_CSF = "1" # Send an email alert if anyone logs in successfully using SSH LF_SSH_EMAIL_ALERT = "1" # Send an email alert if anyone uses su to access another account. This will # send an email alert whether the attempt to use su was successful or not LF_SU_EMAIL_ALERT = "1" # Enable scanning of the exim mainlog for repeated emails sent from scripts. # To use this feature you must add an extended email logging line to WHM > # Exim Configuration Editor > Switch to Advanced Mode > in the first textbox # add the following line (without the preceding #): # # log_selector = +arguments +subject # # If you already use extended exim logging, then you need to either include # +arguments or use +all # # This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines # appear with the same cwd= path in them within an hour. This can be useful in # identifying spamming scripts on a server, especially PHP scripts running # under the nobody account. The email that is sent includes the exim log lines # and also attempts to find scripts that send email in the path that may be the # culprit LF_SCRIPT_ALERT = "1" # The limit afterwhich the email alert for email scripts is sent. Care should # be taken with this value if you allow clients to use web scripts to maintain # pseudo-mailing lists which have large recipients LF_SCRIPT_LIMIT = "100" # If this option is enabled, the directory identified by LF_SCRIPT_ALERT will # be chmod 0 and chattr +i to prevent it being accessed. Set the option to 1 # to enable. # # WARNING: This option could cause serious system problems if the identified # directory is within the OS directory hierarchy. For this reason we do not # recommend enabling it unless absolutely necessary. LF_SCRIPT_PERM = "0" # Checks the length of the exim queue and sends an alert email if the value of # settings is exceeded. If the ConfigServer MailScanner configuration is used # then both the pending and delivery queues will be checked. # # Note: If there are problems sending out email, this alert may not be received # To disable set to "0" LF_QUEUE_ALERT = "0" # The interval between mail queue checks in seconds. This should not be set too # low on servers that often have long queues as the exim binary can use # significant resources when checing its queue length LF_QUEUE_INTERVAL = "300" # Enable Directory Watching. This enables lfd to check /tmp and /dev/shm # directories for suspicious files, i.e. script exploits. If a suspicious # file is found an email alert is sent. One alert per file per LF_FLUSH # interval is sent # # To enable this feature set the following to the checking interval in seconds. # To disable set to "0" LF_DIRWATCH = "300" # To remove any suspicious files found during directory watching, enable the # following. These files will be appended to a tarball in # /etc/csf/suspicious.tar LF_DIRWATCH_DISABLE = "0" # This option allows you to have lfd watch a particular file or directory for # changes and should they change and email alert using watchalert.txt is sent # # To enable this feature set the following to the checking interval in seconds # (a value of 60 would seem sensible) and add your entries to csf.dirwatch # # Set to disable set to "0" LF_DIRWATCH_FILE = "0" # This is the interval that is used to flush reports of usernames, files and # pids so that persistent problems continue to be reported, in seconds. # A value of 3600 seems sensible LF_FLUSH = "3600" # System Integrity Checking. This enables lfd to compare md5sums of the # servers OS binary application files from the time when lfd starts. If the # md5sum of a monitored file changes an alert is sent. This option is intended # as an IDS (Intrusion Detection System) and is the last line of detection for # a possible root compromise. # # There will be constant false-positives as the servers OS is updated or # monitored application binaries are updated. However, unexpected changes # should be carefully inspected. # # Modified files will only be reported via email once. # # To enable this feature set the following to the checking interval in seconds # (a value of 3600 would seem sensible). This option may increase server I/O # load onto the server as it checks system binaries. # # To disable set to "0" LF_INTEGRITY = "3600" # System Exploit Checking. This enables lfd to check for the Random JS Toolkit # and may check for others in the future: # http://www.cpanel.net/security/notes/random_js_toolkit.html # It compares md5sums of the binaries listed in the exploit above for changes # and also attempts to create and remove a number directory # # Modified files will only be reported via email once, though will be reset # after an hour # # To enable this feature set the following to the checking interval in seconds # (a value of 300 would seem sensible). # # To disable set to "0" LF_EXPLOIT = "300" # This comma separated list allows you to (de)select which tests LF_EXPLOIT # performs # # For the SUPERUSER check, you can list usernames in csf.suignore to have them # ignored for that test # # Valid tests are: # JS,SUPERUSER LF_EXPLOIT_CHECK = "JS,SUPERUSER" # Set the time interval to track login failures within (seconds), i.e. # LF_TRIGGER failures within the last LF_INTERVAL seconds LF_INTERVAL = "300" # This is how long the lfd process sleeps (in seconds) before processing the # log file entries and checking whether other events need to be triggered LF_PARSE = "5" # Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour # per IP LT_EMAIL_ALERT = "1" # Block POP3 logins if greater than LT_POP3D times per hour per account per IP # address (0=disabled) # # This is a temporary block for the rest of the hour, afterwhich the IP is # unblocked LT_POP3D = "60" # Block IMAP logins if greater than LT_IMAPD times per hour per account per IP # address (0=disabled) - not recommended for IMAP logins due to the ethos # within which IMAP works. If you want to use this, setting it quite high is # probably a good idea # # This is a temporary block for the rest of the hour, afterwhich the IP is # unblocked LT_IMAPD = "0" # Relay Tracking. This allows you to track email that is relayed through the # server. It tracks general email sent into the server (RELAY), email sent out # after POP before SMTP (POPRELAY) and SMTP_AUTH (AUTHRELAY) authentication, # local email sent from the server (LOCALRELAY). There are also options to send # alerts and block IP addresses if the number of emails relayed per hour # exceeds configured limits. The blocks can be either permanent or temporary. # # The following information applies to each of the following types of relay # check: # RT_[relay type]_ALERT: 0 = disable, 1 = enable # RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent # RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs RT_RELAY_ALERT = "1" RT_RELAY_LIMIT = "100" RT_RELAY_BLOCK = "0" RT_AUTHRELAY_ALERT = "1" RT_AUTHRELAY_LIMIT = "100" RT_AUTHRELAY_BLOCK = "0" RT_POPRELAY_ALERT = "1" RT_POPRELAY_LIMIT = "100" RT_POPRELAY_BLOCK = "0" RT_LOCALRELAY_ALERT = "1" RT_LOCALRELAY_LIMIT = "100" # The following option currently has no effect RT_LOCALRELAY_BLOCK = "0" # Connection Tracking. This option enables tracking of all connections from IP # addresses to the server. If the total number of connections is greater than # this value then the offending IP address is blocked. This can be used to help # prevent some types of DOS attack. # # Care should be taken with this option. It's entirely possible that you will # see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD # and HTTP so it could be quite easy to trigger, especially with a lot of # closed connections in TIME_WAIT. However, for a server that is prone to DOS # attacks this may be very useful. A reasonable setting for this option might # be arround 300. # # To disable this feature, set this to 0 CT_LIMIT = "700" # Connection Tracking interval. Set this to the the number of seconds between # connection tracking scans CT_INTERVAL = "30" # Send an email alert if an IP address is blocked due to connection tracking CT_EMAIL_ALERT = "1" # If you want to make IP blocks permanent then set this to 1, otherwise blocks # will be temporary and will be cleared after CT_BLOCK_TIME seconds CT_PERMANENT = "0" # If you opt for temporary IP blocks for CT, then the following is the interval # in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins) CT_BLOCK_TIME = "1800" # If you don't want to count the TIME_WAIT state against the connection count # then set the following to "1" CT_SKIP_TIME_WAIT = "1" # If you only want to count specific states (e.g. SYN_RECV) then add the states # to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT" # # Leave this option empty to count all states against CT_LIMIT CT_STATES = "" # If you only want to count specific ports (e.g. 80,443) then add the ports # to the following as a comma separated list. E.g. "80,443" # # Leave this option empty to count all ports against CT_LIMIT CT_PORTS = "" # Process Tracking. This option enables tracking of user and nobody processes # and examines them for suspicious executables or open network ports. Its # purpose is to identify potential exploit processes that are running on the # server, even if they are obfuscated to appear as system services. If a # suspicious process is found an alert email is sent with relevant information. # It is then the responsibility of the recipient to investigate the process # further as the script takes no further action # # The following is the number of seconds a process has to be active before it # is inspected. If you set this time too low, then you will likely trigger # false-positives with CGI or PHP scripts. # Set the value to 0 to disable this feature PT_LIMIT = "60" # How frequently processes are checked in seconds PT_INTERVAL = "60" # If you want process tracking to highlight php or perl scripts that are run # through apache then disable the following, # i.e. set it to 0 # # While enabling this setting will reduce false-positives, having it set to 0 # does provide better checking for exploits running on the server PT_SKIP_HTTP = "0" # If you want to track all linux accounts on a cPanel server, not just users # that are part of cPanel, then enable this option. This is recommended to # improve security from compromised accounts # # Set to 0 to disable the feature, 1 to enable it PT_ALL_USERS = "1" # lfd will report processes, even if they're listed in csf.pignore, if they're # tagged as (deleted) by Linux. This information is provided in Linux under # /proc/PID/exe. A (deleted) process is one that is running a binary that has # the inode for the file removed from the file system directory. This usually # happens when the binary has been replaced due to an upgrade for it by the OS # vendor or another third party (e.g. cPanel). You need to investigate whether # this is indeed the case to be sure that the original binary has not been # replaced by a rootkit or is running an exploit. # # To stop lfd reporting such process you need to restart the daemon to which it # belongs and therefore run the process using the replacement binary (presuming # one exists). This will normally mean running the associated startup script in # /etc/init.d/ # # If you don't want lfd to report deleted binary processes, set to 0 PT_DELETED = "1" # User Process Tracking. This option enables the tracking of the number of # process any given cPanel account is running at one time. If the number of # processes exceeds the value of the following setting an email alert is sent # with details of those processes. If you specify a user in csf.pignore it will # be ignored # # Set to 0 to disable this feature PT_USERPROC = "10" # This User Process Tracking option sends an alert if any cPanel user process # exceeds the memory usage set (MB). To ignore specific processes or users use # csf.pignore # # Set to 0 to disable this feature PT_USERMEM = "100" # This User Process Tracking option sends an alert if any cPanel user process # exceeds the time usage set (seconds). To ignore specific processes or users # use csf.pignore # # Set to 0 to disable this feature PT_USERTIME = "1800" # If this option is set then processes detected by PT_USERMEM, PT_USERTIME or # PT_USERPROC are killed # # Warning: We don't recommend enabling this option unless absolutely necessary # as it can cause unexpected problems when processes are suddenly terminated. # It can also lead to system processes being terminated which could cause # stability issues. It is much better to leave this option disabled and to # investigate each case as it is reported when the triggers above are breached # # Note: Processes that are running deleted excecutables (see PT_DELETED) will # not be killed by lfd PT_USERKILL = "1" # Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and # defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the # load average is greater than or equal to PT_LOAD_LEVEL then an email alert is # sent. lfd then does not report subsequent high load until PT_LOAD_SKIP # seconds has passed to prevent email floods. # # Set PT_LOAD to "0" to disable this feature PT_LOAD = "30" PT_LOAD_AVG = "5" PT_LOAD_LEVEL = "6" PT_LOAD_SKIP = "3600" # If a PT_LOAD event is triggered, then if the following contains the path to # a script, it will be run in a child process. For example, the script could # contain commands to terminate and restart httpd, php, exim, etc incase of # looping processes. The action script must have the execute bit an # interpreter (shebang) set PT_LOAD_ACTION = "" # Port Scan Tracking. This feature tracks port blocks logged by iptables to # syslog. If an IP address generates a port block that is logged more than # PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked. # # This feature could, for example, be useful for blocking hackers attempting # to access the standard SSH port if you have moved it to a port other than 22 # and have removed 22 from the TCP_IN list so that connection attempts to the # old port are being logged # # This feature blocks all iptables blocks from the iptables logs, including # repeated attempts to one port or SYN flood blocks, etc # # Note: This feature will only track iptables blocks from the log file set in # IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will # cause redundant blocking with DROP_IP_LOGGING enabled # # Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's) # could very quickly fill the iptables rule chains and cause a DOS in itself. # The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks # and the DENY_TEMP_IP_LIMIT with temporary blocks # # Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300 # would be sensible to enable this feature PS_INTERVAL = "300" PS_LIMIT = "0" # You can specify the ports and/or port ranges that should be tracked by the # Port Scan Tracking feature. The following setting is a comma separated list # of those ports and uses the same format as TCP_IN. The default setting of # 0:65535 covers all ports PS_PORTS = "0:65535" # You can select whether IP blocks for Port Scan Tracking should be temporary # or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent # blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to # temporarily block the IP address for PS_PERMANENT = "0" PS_BLOCK_TIME = "3600" # Set the following to "1" to enable Port Scan Tracking email alerts, set to # "0" to disable them PS_EMAIL_ALERT = "1" # Account Tracking. The following options enable the tracking of modifications # to the accounts on a server. If any of the enabled options are triggered by # a modifications to an account, an alert email is sent. Only the modification # is reported. The cause of the modification will have to be investigated # manually # # You can set AT_ALERT to the following: # 0 = disable this feature # 1 = enable this feature for all accounts # 2 = enable this feature only for accounts with uid 0 (e.g. root) AT_ALERT = "2" # This options is the interval between checks in seconds AT_INTERVAL = "60" # Send alert if a new account is created AT_NEW = "1" # Send alert if an existing account is deleted AT_OLD = "1" # Send alert if an account password has changed AT_PASSWD = "1" # Send alert if an account uid has changed AT_UID = "1" # Send alert if an account gid has changed AT_GID = "1" # Send alert if an account login directory has changed AT_DIR = "1" # Send alert if an account login shell has changed AT_SHELL = "1" # Display Country Code and Country for reported IP addresses CC_LOOKUPS = "1" # Messenger service. This feature allows the display of a message to a blocked # connecting IP address to inform the user that they are blocked in the # firewall. This can help when users get themselves blocked, e.g. due to # multiple login failures. The service is provided by two daemons running on # ports providing either an HTML or TEXT message. # # This feature does not work on servers that do not have the iptables module # ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS # server admins should check with their VPS host provider that the iptables # module is included. # # For further information on features and limitations refer to the csf # readme.txt # # Note: Run /etc/csf/csftest.pl to check whether this option will function on # this server # # 1 to enable, 0 to disable MESSENGER = "0" # Provide this service to temporary IP address blocks MESSENGER_TEMP = "1" # Provide this service to permanent IP address blocks MESSENGER_PERM = "1" # User account to run the service servers under. We recommend creating a # specific non-priv, non-shell account for this purpose MESSENGER_USER = "csf" # This is the maximum concurrent connections allowed to each service server MESSENGER_CHILDREN = "10" # Set this to the port that will receive the HTML message. You should configure # this port to be >1023 and different from the TEXT port. Do NOT enable access # to this port in TCP_IN MESSENGER_HTML = "8888" # This comma separated list are the HTML ports that will be redirected for the # blocked IP address. If you are using per application blocking (LF_TRIGGER) # then only the relevant block port will be redirected to the messenger port MESSENGER_HTML_IN = "80,2082,2095" # Set this to the port that will receive the TEXT message. You should configure # this port to be >1023 and different from the HTML port. Do NOT enable access # to this port in TCP_IN MESSENGER_TEXT = "8889" # This comma separated list are the TEXT ports that will be redirected for the # blocked IP address. If you are using per application blocking (LF_TRIGGER) # then only the relevant block port will be redirected to the messenger port MESSENGER_TEXT_IN = "21" # These settings limit the rate at which connections can be made to the # messenger service servers. Its intention is to provide protection from # attacks or excessive connections to the servers. If the rate is exceeded then # iptables will revert for the duration to the normal blocking actiity # # See the iptables man page for the correct --limit rate syntax MESSENGER_RATE = "30/m" MESSENGER_BURST = "5" # Statistics # # These options will be expanded in the future. # # This option enabled statistical data gathering ST_ENABLE = "1" # This option determines how many iptables log lines to store for reports ST_IPTABLES = "100" # This option indicates whether rDNS and CC lookups are performed at the time # the log line is recorded (this is not performed when viewing the reports) # # Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits, # then enabling this setting could cause serious performance problems ST_LOOKUP = "1" # If you find ever increasing numbers of zombie lfd processes you may need to # revert to the old child reaper code by enabling this option OLD_REAPER = "0" # OS settings IPTABLES = "/sbin/iptables" MODPROBE = "/sbin/modprobe" IFCONFIG = "/sbin/ifconfig" SENDMAIL = "/usr/sbin/sendmail" PS = "/bin/ps" FUSER = "/sbin/fuser" VMSTAT = "/usr/bin/vmstat" LS = "/bin/ls" MD5SUM = "/usr/bin/md5sum" TAR = "/bin/tar" CHATTR = "/usr/bin/chattr" # Log files HTACCESS_LOG = "/usr/local/apache/logs/error_log" MODSEC_LOG = "/usr/local/apache/logs/error_log" SSHD_LOG = "/var/log/secure" SU_LOG = "/var/log/secure" FTPD_LOG = "/var/log/messages" SMTPAUTH_LOG = "/var/log/exim_mainlog" SMTPRELAY_LOG = "/var/log/exim_mainlog" POP3D_LOG = "/var/log/maillog" IMAPD_LOG = "/var/log/maillog" CPANEL_LOG = "/usr/local/cpanel/logs/login_log" SCRIPT_LOG = "/var/log/exim_mainlog" IPTABLES_LOG = "/var/log/messages" SUHOSIN_LOG = "/var/log/messages" CUSTOM1_LOG = "/var/log/messages" CUSTOM2_LOG = "/var/log/messages" CUSTOM3_LOG = "/var/log/messages" CUSTOM4_LOG = "/var/log/messages" CUSTOM5_LOG = "/var/log/messages" CUSTOM6_LOG = "/var/log/messages" CUSTOM7_LOG = "/var/log/messages" CUSTOM8_LOG = "/var/log/messages" CUSTOM9_LOG = "/var/log/messages" # For internal use only. You should not enable this option as it could cause # instability in csf and lfd DEBUG = "0"