· 7 years ago · Nov 10, 2018, 09:46 PM
1###############################################################################
2# SECTION:Initial Settings
3###############################################################################
4# Testing flag - enables a CRON job that clears iptables incase of
5# configuration problems when you start csf. This should be enabled until you
6# are sure that the firewall works - i.e. incase you get locked out of your
7# server! Then do remember to set it to 0 and restart csf when you're sure
8# everything is OK. Stopping csf will remove the line from /etc/crontab
9#
10# lfd will not start while this is enabled
11TESTING = "0"
12
13# The interval for the crontab in minutes. Since this uses the system clock the
14# CRON job will run at the interval past the hour and not from when you issue
15# the start command. Therefore an interval of 5 minutes means the firewall
16# will be cleared in 0-5 minutes from the firewall start
17TESTING_INTERVAL = "5"
18
19# SECURITY WARNING
20# ================
21#
22# Unfortunately, syslog and rsyslog allow end-users to log messages to some
23# system logs via the same unix socket that other local services use. This
24# means that any log line shown in these system logs that syslog or rsyslog
25# maintain can be spoofed (they are exactly the same as real log lines).
26#
27# Since some of the features of lfd rely on such log lines, spoofed messages
28# can cause false-positive matches which can lead to confusion at best, or
29# blocking of any innocent IP address or making the server inaccessible at
30# worst.
31#
32# Any option that relies on the log entries in the files listed in
33# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
34# vulnerable to exploitation by end-users and scripts run by end-users.
35#
36# NOTE: Not all log files are affected as they may not use syslog/rsyslog
37#
38# The option RESTRICT_SYSLOG disables all these features that rely on affected
39# logs. These options are:
40# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
41# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
42# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
43# PORTKNOCKING_ALERT
44#
45# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
46# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
47#
48# The following options are still enabled by default on new installations so
49# that, on balance, csf/lfd still provides expected levels of security:
50# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
51#
52# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
53# above, it should be done with the knowledge that any of the those options
54# that are enabled could be triggered by spoofed log lines and lead to the
55# server being inaccessible in the worst case. If you do not want to take that
56# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
57# but you will not be protected from the exploits that they normally help block
58#
59# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
60# the syslog/rsyslog unix socket.
61#
62# For further advice on how to help mitigate these issues, see
63# /etc/csf/readme.txt
64#
65# 0 = Allow those options listed above to be used and configured
66# 1 = Disable all the options listed above and prevent them from being used
67# 2 = Disable only alerts about this feature and do nothing else
68# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
69RESTRICT_SYSLOG = "0"
70
71# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
72# write access to the syslog/rsyslog unix socket(s). The group must not already
73# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
74# to a unique name for the server
75#
76# You can add users to this group by changing /etc/csf/csf.syslogusers and then
77# restarting lfd afterwards. This will create the system group and add the
78# users from csf.syslogusers if they exist to that group and will change the
79# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
80# monitored and the permissions re-applied should syslog/rsyslog be restarted
81#
82# Using this option will prevent some legitimate logging, e.g. end-user cron
83# job logs
84#
85# If you want to revert RESTRICT_SYSLOG to another option and disable this
86# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
87# syslog/rsyslog and the unix sockets will be reset
88RESTRICT_SYSLOG_GROUP = "mysyslog"
89
90# This options restricts the ability to modify settings within this file from
91# the csf UI. Should the parent control panel be compromised, these restricted
92# options could be used to further compromise the server. For this reason we
93# recommend leaving this option set to at least "1" and if any of the
94# restricted items need to be changed, they are done so from the root shell
95#
96# 0 = Unrestricted UI
97# 1 = Restricted UI
98# 2 = Disabled UI
99RESTRICT_UI = "1"
100
101# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
102# runs once per day to see if there is an update to csf+lfd and upgrades if
103# available and restarts csf and lfd
104#
105# You should check for new version announcements at http://blog.configserver.com
106AUTO_UPDATES = "1"
107
108###############################################################################
109# SECTION:IPv4 Port Settings
110###############################################################################
111# Lists of ports in the following comma separated lists can be added using a
112# colon (e.g. 30000:35000).
113
114# Some kernel/iptables setups do not perform stateful connection tracking
115# correctly (typically some virtual servers or custom compiled kernels), so a
116# SPI firewall will not function correctly. If this happens, LF_SPI can be set
117# to 0 to reconfigure csf as a static firewall.
118#
119# As connection tracking will not be configured, applications that rely on it
120# will not function unless all outgoing ports are opened. Therefore, all
121# outgoing connections will be allowed once all other tests have completed. So
122# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
123#
124# If you allow incoming DNS lookups you may need to use the following
125# directive in the options{} section of your named.conf:
126#
127# query-source port 53;
128#
129# This will force incoming DNS traffic only through port 53
130#
131# Disabling this option will break firewall functionality that relies on
132# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
133# less secure
134#
135# This option should be set to "1" in all other circumstances
136LF_SPI = "1"
137
138# Allow incoming TCP ports
139TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,22666,3000"
140
141# Allow outgoing TCP ports
142TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,22666,3000"
143
144# Allow incoming UDP ports
145UDP_IN = "20,21,53"
146
147# Allow outgoing UDP ports
148# To allow outgoing traceroute add 33434:33523 to this list
149UDP_OUT = "20,21,53,113,123,873,6277,24441"
150
151# Allow incoming PING. Disabling PING will likely break external uptime
152# monitoring
153ICMP_IN = "1"
154
155# Set the per IP address incoming ICMP packet rate for PING requests. This
156# ratelimits PING requests which if exceeded results in silently rejected
157# packets. Disable or increase this value if you are seeing PING drops that you
158# do not want
159#
160# To disable rate limiting set to "0", otherwise set according to the iptables
161# documentation for the limit module. For example, "1/s" will limit to one
162# packet per second
163ICMP_IN_RATE = "1/s"
164
165# Allow outgoing PING
166#
167# Unless there is a specific reason, this option should NOT be disabled as it
168# could break OS functionality
169ICMP_OUT = "1"
170
171# Set the per IP address outgoing ICMP packet rate for PING requests. This
172# ratelimits PING requests which if exceeded results in silently rejected
173# packets. Disable or increase this value if you are seeing PING drops that you
174# do not want
175#
176# Unless there is a specific reason, this option should NOT be enabled as it
177# could break OS functionality
178#
179# To disable rate limiting set to "0", otherwise set according to the iptables
180# documentation for the limit module. For example, "1/s" will limit to one
181# packet per second
182ICMP_OUT_RATE = "0"
183
184# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
185# should be dropped, you can enable the following option. Otherwise, there
186# appears to be little evidence that it has anything to do with a security risk
187# and can impact network performance, so should be left disabled by everyone
188# else
189ICMP_TIMESTAMPDROP = "0"
190
191###############################################################################
192# SECTION:IPv6 Port Settings
193###############################################################################
194# IPv6: (Requires ip6tables)
195#
196# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
197# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
198#
199# Supported:
200# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
201# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
202# SYNFLOOD, LF_NETBLOCK
203#
204# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
205# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
206# CC_ALLOW_SMTPAUTH
207#
208# Supported if ip6tables >= 1.4.3:
209# PORTFLOOD, CONNLIMIT
210#
211# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
212# installed:
213# MESSENGER DOCKER SMTP_REDIRECT
214#
215# Not supported:
216# ICMP_IN, ICMP_OUT
217#
218IPV6 = "1"
219
220# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
221# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
222# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
223# connection types
224IPV6_ICMP_STRICT = "0"
225
226# Pre v2.6.20 kernel must set this option to "0" as no working state module is
227# present, so a static firewall is configured as a fallback
228#
229# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
230# not support IPv6 connection tracking by opening ephemeral port range
231# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
232# same workaround implemented by RedHat in the sample default IPv6 rules
233#
234# As connection tracking will not be configured, applications that rely on it
235# will not function unless all outgoing ports are opened. Therefore, all
236# outgoing connections will be allowed once all other tests have completed. So
237# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
238#
239# If you allow incoming ipv6 DNS lookups you may need to use the following
240# directive in the options{} section of your named.conf:
241#
242# query-source-v6 port 53;
243#
244# This will force ipv6 incoming DNS traffic only through port 53
245#
246# These changes are not necessary if the SPI firewall is used
247IPV6_SPI = "1"
248
249# Allow incoming IPv6 TCP ports
250TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
251
252# Allow outgoing IPv6 TCP ports
253TCP6_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"
254
255# Allow incoming IPv6 UDP ports
256UDP6_IN = "20,21,53"
257
258# Allow outgoing IPv6 UDP ports
259# To allow outgoing traceroute add 33434:33523 to this list
260UDP6_OUT = "20,21,53,113,123,873,6277,24441"
261
262###############################################################################
263# SECTION:General Settings
264###############################################################################
265# By default, csf will auto-configure iptables to filter all traffic except on
266# the loopback device. If you only want iptables rules applied to a specific
267# NIC, then list it here (e.g. eth1, or eth+)
268ETH_DEVICE = ""
269
270# By adding a device to this option, ip6tables can be configured only on the
271# specified device. Otherwise, ETH_DEVICE and then the default setting will be
272# used
273ETH6_DEVICE = ""
274
275# If you don't want iptables rules applied to specific NICs, then list them in
276# a comma separated list (e.g "eth1,eth2")
277ETH_DEVICE_SKIP = ""
278
279# This option should be enabled unless the kernel does not support the
280# "conntrack" module
281#
282# To use the deprecated iptables "state" module, change this to 0
283USE_CONNTRACK = "1"
284
285# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
286# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
287# This will also remove the RELATED target from the global state iptables rule
288#
289# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
290# the raw tables do not exist. The USE_CONNTRACK option should be enabled
291#
292# To enable this option, set it to your FTP server listening port number
293# (normally 21), do NOT set it to "1"
294USE_FTPHELPER = "0"
295
296# Check whether syslog is running. Many of the lfd checks require syslog to be
297# running correctly. This test will send a coded message to syslog every
298# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
299# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
300# syslogalert.txt is sent
301#
302# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
303SYSLOG_CHECK = "0"
304
305# Enable this option if you do not wish to block all IP's that have
306# authenticated using POP before SMTP (i.e. are valid clients). This option
307# checks for IP addresses in /etc/relayhosts, which last for 30 minutes in that
308# file after a successful POP authentication.
309#
310# Set the value to 0 to disable the feature
311RELAYHOSTS = "0"
312
313# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
314# listed in csf.allow in addition to csf.ignore (the default). This option
315# should be used with caution as it would mean that IP's allowed through the
316# firewall from infected PC's could launch attacks on the server that lfd
317# would ignore
318IGNORE_ALLOW = "0"
319
320# Enable the following option if you want to apply strict iptables rules to DNS
321# traffic (i.e. relying on iptables connection tracking). Enabling this option
322# could cause DNS resolution issues both to and from the server but could help
323# prevent abuse of the local DNS server
324DNS_STRICT = "0"
325
326# Enable the following option if you want to apply strict iptables rules to DNS
327# traffic between the server and the nameservers listed in /etc/resolv.conf
328# Enabling this option could cause DNS resolution issues both to and from the
329# server but could help prevent abuse of the local DNS server
330DNS_STRICT_NS = "0"
331
332# Limit the number of IP's kept in the /etc/csf/csf.deny file
333#
334# Care should be taken when increasing this value on servers with low memory
335# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
336# thousands) can sometimes cause network slowdown
337#
338# The value set here is the maximum number of IPs/CIDRs allowed
339# if the limit is reached, the entries will be rotated so that the oldest
340# entries (i.e. the ones at the top) will be removed and the latest is added.
341# The limit is only checked when using csf -d (which is what lfd also uses)
342# Set to 0 to disable limiting
343#
344# For implementations wishing to set this value significantly higher, we
345# recommend using the IPSET option
346DENY_IP_LIMIT = "200"
347
348# Limit the number of IP's kept in the temprary IP ban list. If the limit is
349# reached the oldest IP's in the ban list will be removed and allowed
350# regardless of the amount of time remaining for the block
351# Set to 0 to disable limiting
352DENY_TEMP_IP_LIMIT = "100"
353
354# Enable login failure detection daemon (lfd). If set to 0 none of the
355# following settings will have any effect as the daemon won't start.
356LF_DAEMON = "1"
357
358# Check whether csf appears to have been stopped and restart if necessary,
359# unless TESTING is enabled above. The check is done every 300 seconds
360LF_CSF = "1"
361
362# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
363# IP6TABLES_RESTORE in two ways:
364#
365# 1. On a clean server reboot the entire csf iptables configuration is saved
366# and then restored where possible to provide a near instant firewall
367# startup[*]
368#
369# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
370# BOGON, TOR are loaded using this method in a fraction of the time than if
371# this setting is disabled
372#
373# [*]Not supported on all OS platforms
374#
375# Set to "0" to disable this functionality
376FASTSTART = "1"
377
378# This option allows you to use ipset v6+ for the following csf options:
379# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
380# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
381#
382# ipset will only be used with the above options when listing IPs and CIDRs.
383# Advanced Allow Filters and temporary blocks use traditional iptables
384#
385# Using ipset moves the onus of ip matching against large lists away from
386# iptables rules and to a purpose built and optimised database matching
387# utility. It also simplifies the switching in of updated lists
388#
389# To use this option you must have a fully functioning installation of ipset
390# installed either via rpm or source from http://ipset.netfilter.org/
391#
392# Note: Using ipset has many advantages, some disadvantages are that you will
393# no longer see packet and byte counts against IPs and it makes identifying
394# blocked/allowed IPs that little bit harder
395#
396# Note: If you mainly use IP address only entries in csf.deny, you can increase
397# the value of DENY_IP_LIMIT significantly if you wish
398#
399# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
400# containers even if it has been installed
401#
402# If you find any problems, please post on forums.configserver.com with full
403# details of the issue
404LF_IPSET = "0"
405
406# Versions of iptables greater or equal to v1.4.20 should support the --wait
407# option. This forces iptables commands that use the option to wait until a
408# lock by any other process using iptables completes, rather than simply
409# failing
410#
411# Enabling this feature will add the --wait option to iptables commands
412#
413# NOTE: The disadvantage of using this option is that any iptables command that
414# uses it will hang until the lock is released. This could cause a cascade of
415# hung processes trying to issue iptables commands. To try and avoid this issue
416# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
417# a failure if reached
418WAITLOCK = "1"
419WAITLOCK_TIMEOUT = "300"
420
421# The following sets the hashsize for ipset sets, which must be a power of 2.
422#
423# Note: Increasing this value will consume more memory for all sets
424# Default: "1024"
425LF_IPSET_HASHSIZE = "1024"
426
427# The following sets the maxelem for ipset sets.
428#
429# Note: Increasing this value will consume more memory for all sets
430# Default: "65536"
431LF_IPSET_MAXELEM = "65536"
432
433# If you enable this option then whenever a CLI request to restart csf is used
434# lfd will restart csf instead within LF_PARSE seconds
435#
436# This feature can be helpful for restarting configurations that cannot use
437# FASTSTART
438LFDSTART = "0"
439
440# Enable verbose output of iptables commands
441VERBOSE = "1"
442
443# Drop out of order packets and packets in an INVALID state in iptables
444# connection tracking
445PACKET_FILTER = "1"
446
447# Perform reverse DNS lookups on IP addresses. See also CC_LOOKUPS
448LF_LOOKUPS = "1"
449
450# Custom styling is possible in the csf UI. See the readme.txt for more
451# information under "UI skinning and Mobile View"
452#
453# This option enables the use of custom styling. If the styling fails to work
454# correctly, e.g. custom styling does not take into account a change in the
455# standard csf UI, then disabling this option will return the standard UI
456STYLE_CUSTOM = "0"
457
458# This option disables the presence of the Mobile View in the csf UI
459STYLE_MOBILE = "1"
460
461###############################################################################
462# SECTION:SMTP Settings
463###############################################################################
464# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
465# to use the exim/sendmail binary instead of sockets access). This replaces the
466# protection as WHM > Tweak Settings > SMTP Tweaks
467#
468# This option uses the iptables ipt_owner/xt_owner module and must be loaded
469# for it to work. It may not be available on some VPS platforms
470#
471# Note: Run /etc/csf/csftest.pl to check whether this option will function on
472# this server
473SMTP_BLOCK = "0"
474
475# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
476# on the server (e.g. for webmail or web scripts) then enable this option to
477# allow outgoing SMTP connections to the loopback device
478SMTP_ALLOWLOCAL = "1"
479
480# This option redirects outgoing SMTP connections destined for remote servers
481# for non-bypass users to the local SMTP server to force local relaying of
482# email. Such email may require authentication (SMTP AUTH)
483SMTP_REDIRECT = "0"
484
485# This is a comma separated list of the ports to block. You should list all
486# ports that exim is configured to listen on
487SMTP_PORTS = "25,465,587"
488
489# Always allow the following comma separated users and groups to bypass
490# SMTP_BLOCK
491#
492# Note: root (UID:0) is always allowed
493SMTP_ALLOWUSER = "cpanel"
494SMTP_ALLOWGROUP = "mail,mailman"
495
496# This option will only allow SMTP AUTH to be advertised to the IP addresses
497# listed in /etc/csf/csf.smtpauth on EXIM mail servers
498#
499# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
500# additionally restrict access to specific countries
501#
502# This is to help limit attempts at distributed attacks against SMTP AUTH which
503# are difficult to achieve since port 25 needs to be open to relay email
504#
505# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
506# connection, then SMTP AUTH will not accept logins, defeating the attacks
507# without restricting mail relaying
508#
509# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
510# that the lookup file in /etc/exim.smtpauth is regenerated from the
511# information from /etc/csf/csf.smtpauth plus any countries listed in
512# CC_ALLOW_SMTPAUTH
513#
514# NOTE: To make this option work you MUST make the modifications to exim.conf
515# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
516# after enabling the option here, otherwise this option will not work
517#
518# To enable this option, set to 1 and make the exim configuration changes
519# To disable this option, set to 0 and undo the exim configuration changes
520SMTPAUTH_RESTRICT = "0"
521
522###############################################################################
523# SECTION:Port Flood Settings
524###############################################################################
525# Enable SYN Flood Protection. This option configures iptables to offer some
526# protection from tcp SYN packet DOS attempts. You should set the RATE so that
527# false-positives are kept to a minimum otherwise visitors may see connection
528# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
529# man page for the correct --limit rate syntax
530#
531# Note: This option should ONLY be enabled if you know you are under a SYN
532# flood attack as it will slow down all new connections from any IP address to
533# the server if triggered
534SYNFLOOD = "0"
535SYNFLOOD_RATE = "100/s"
536SYNFLOOD_BURST = "150"
537
538# Connection Limit Protection. This option configures iptables to offer more
539# protection from DOS attacks against specific ports. It can also be used as a
540# way to simply limit resource usage by IP address to specific server services.
541# This option limits the number of concurrent new connections per IP address
542# that can be made to specific ports
543#
544# This feature does not work on servers that do not have the iptables module
545# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
546# server admins should check with their VPS host provider that the iptables
547# module is included
548#
549# For further information and syntax refer to the Connection Limit Protection
550# section of the csf readme.txt
551#
552# Note: Run /etc/csf/csftest.pl to check whether this option will function on
553# this server
554CONNLIMIT = ""
555
556# Port Flood Protection. This option configures iptables to offer protection
557# from DOS attacks against specific ports. This option limits the number of
558# new connections per time interval that can be made to specific ports
559#
560# This feature does not work on servers that do not have the iptables module
561# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
562# server admins should check with their VPS host provider that the iptables
563# module is included
564#
565# For further information and syntax refer to the Port Flood Protection
566# section of the csf readme.txt
567#
568# Note: Run /etc/csf/csftest.pl to check whether this option will function on
569# this server
570PORTFLOOD = ""
571
572# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
573# These typically originate from exploit scripts uploaded through vulnerable
574# web scripts. Care should be taken on servers that use services that utilise
575# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
576# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
577#
578# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
579UDPFLOOD = "0"
580UDPFLOOD_LIMIT = "100/s"
581UDPFLOOD_BURST = "500"
582
583# This is a list of usernames that should not be rate limited, such as "named"
584# to prevent bind traffic from being limited.
585#
586# Note: root (UID:0) is always allowed
587UDPFLOOD_ALLOWUSER = "named"
588
589###############################################################################
590# SECTION:Logging Settings
591###############################################################################
592# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
593# perl module Sys::Syslog installed to use this feature
594SYSLOG = "0"
595
596# Drop target for incoming iptables rules. This can be set to either DROP or
597# REJECT. REJECT will send back an error packet, DROP will not respond at all.
598# REJECT is more polite, however it does provide extra information to a hacker
599# and lets them know that a firewall is blocking their attempts. DROP hangs
600# their connection, thereby frustrating attempts to port scan the server
601DROP = "DROP"
602
603# Drop target for outgoing iptables rules. This can be set to either DROP or
604# REJECT as with DROP, however as such connections are from this server it is
605# better to REJECT connections to closed ports rather than to DROP them. This
606# helps to immediately free up server resources rather than tying them up until
607# a connection times out. It also tells the process making the connection that
608# it has immediately failed
609#
610# It is possible that some monolithic kernels may not support the REJECT
611# target. If this is the case, csf checks before using REJECT and falls back to
612# using DROP, issuing a warning to set this to DROP instead
613DROP_OUT = "REJECT"
614
615# Enable logging of dropped connections to blocked ports to syslog, usually
616# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
617DROP_LOGGING = "1"
618
619# Enable logging of dropped incoming connections from blocked IP addresses
620#
621# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
622DROP_IP_LOGGING = "0"
623
624# Enable logging of dropped outgoing connections
625#
626# Note: Only outgoing SYN packets for TCP connections are logged, other
627# protocols log all packets
628#
629# We recommend that you enable this option
630DROP_OUT_LOGGING = "1"
631
632# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
633# out (where available) which can help track abuse
634DROP_UID_LOGGING = "1"
635
636# Only log incoming reserved port dropped connections (0:1023). This can reduce
637# the amount of log noise from dropped connections, but will affect options
638# such as Port Scan Tracking (PS_INTERVAL)
639DROP_ONLYRES = "0"
640
641# Commonly blocked ports that you do not want logging as they tend to just fill
642# up the log file. These ports are specifically blocked (applied to TCP and UDP
643# protocols) for incoming connections
644DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
645
646# Log packets dropped by the packet filtering option PACKET_FILTER
647DROP_PF_LOGGING = "0"
648
649# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
650# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
651# addresses breaking the Connection Limit Protection will be blocked
652CONNLIMIT_LOGGING = "0"
653
654# Enable logging of UDP floods. This should be enabled, especially with User ID
655# Tracking enabled
656UDPFLOOD_LOGGING = "1"
657
658# Send an alert if log file flooding is detected which causes lfd to skip log
659# lines to prevent lfd from looping. If this alert is sent you should check the
660# reported log file for the reason for the flooding
661LOGFLOOD_ALERT = "0"
662
663###############################################################################
664# SECTION:Reporting Settings
665###############################################################################
666# By default, lfd will send alert emails using the relevant alert template to
667# the To: address configured within that template. Setting the following
668# option will override the configured To: field in all lfd alert emails
669#
670# Leave this option empty to use the To: field setting in each alert template
671LF_ALERT_TO = ""
672
673# By default, lfd will send alert emails using the relevant alert template from
674# the From: address configured within that template. Setting the following
675# option will override the configured From: field in all lfd alert emails
676#
677# Leave this option empty to use the From: field setting in each alert template
678LF_ALERT_FROM = ""
679
680# By default, lfd will send all alerts using the SENDMAIL binary. To send using
681# SMTP directly, you can set the following to a relaying SMTP server, e.g.
682# "127.0.0.1". Leave this setting blank to use SENDMAIL
683LF_ALERT_SMTP = ""
684
685# Block Reporting. lfd can run an external script when it performs and IP
686# address block following for example a login failure. The following setting
687# is to the full path of the external script which must be executable. See
688# readme.txt for format details
689#
690# Leave this setting blank to disable
691BLOCK_REPORT = ""
692
693# To also run an external script when a temporary block is unblocked: the
694# following setting can be the full path of the external script which must be
695# executable. See readme.txt for format details
696#
697# Leave this setting blank to disable
698UNBLOCK_REPORT = ""
699
700# In addition to the standard lfd email alerts, you can additionally enable the
701# sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
702# block alert messages will be sent. The reports use our schema at:
703# https://download.configserver.com/abuse_login-attack_0.2.json
704#
705# These reports are in a format accepted by many Netblock owners and should
706# help them investigate abuse. This option is not designed to automatically
707# forward these reports to the Netblock owners and should be checked for
708# false-positive blocks before reporting
709#
710# If available, the report will also include the abuse contact for the IP from
711# the Abusix Contact DB: https://abusix.com/contactdb.html
712#
713# Note: The following block types are not reported through this feature:
714# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
715X_ARF = "0"
716
717# By default, lfd will send emails from the root forwarder. Setting the
718# following option will override this
719X_ARF_FROM = ""
720
721# By default, lfd will send emails to the root forwarder. Setting the following
722# option will override this
723X_ARF_TO = ""
724
725# If you want to automatically send reports to the abuse contact where found,
726# you can enable the following option
727#
728# Note: You MUST set X_ARF_FROM to a valid email address for this option to
729# work. This is so that the abuse contact can reply to the report
730#
731# However, you should be aware that without manual checking you could be
732# reporting innocent IP addresses, including your own clients, yourself and
733# your own servers
734#
735# Additionally, just because a contact address is found, does not mean that
736# there is anyone on the end of it reading, processing or acting on such
737# reports and you could conceivably reported for sending spam
738#
739# We do not recommend enabling this option. Abuse reports should be checked and
740# verified before being forwarded to the abuse contact
741X_ARF_ABUSE = "0"
742
743###############################################################################
744# SECTION:Temp to Perm/Netblock Settings
745###############################################################################
746# Temporary to Permanent IP blocking. The following enables this feature to
747# permanently block IP addresses that have been temporarily blocked more than
748# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
749# LF_PERMBLOCK to "1" to enable this feature
750#
751# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
752# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
753# (TTL) for blocked IPs, to be effective
754#
755# Set LF_PERMBLOCK to "0" to disable this feature
756LF_PERMBLOCK = "1"
757LF_PERMBLOCK_INTERVAL = "86400"
758LF_PERMBLOCK_COUNT = "4"
759LF_PERMBLOCK_ALERT = "1"
760
761# Permanently block IPs by network class. The following enables this feature
762# to permanently block classes of IP address where individual IP addresses
763# within the same class LF_NETBLOCK_CLASS have already been blocked more than
764# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
765# LF_NETBLOCK to "1" to enable this feature
766#
767# This can be an affective way of blocking DDOS attacks launched from within
768# the same network class
769#
770# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
771# consideration is required when blocking network classes A or B
772#
773# Set LF_NETBLOCK to "0" to disable this feature
774LF_NETBLOCK = "0"
775LF_NETBLOCK_INTERVAL = "86400"
776LF_NETBLOCK_COUNT = "4"
777LF_NETBLOCK_CLASS = "C"
778LF_NETBLOCK_ALERT = "1"
779
780# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
781# Great care should be taken with IPV6 netblock ranges due to the large number
782# of addresses involved
783#
784# To disable IPv6 netblocks set to ""
785LF_NETBLOCK_IPV6 = ""
786
787###############################################################################
788# SECTION:Global Lists/DYNDNS/Blocklists
789###############################################################################
790# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
791# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
792# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
793# chain, then flush and delete the old dynamic chain and rename the new chain.
794#
795# This prevents a small window of opportunity opening when an update occurs and
796# the dynamic chain is flushed for the new rules.
797#
798# This option should not be enabled on servers with long dynamic chains (e.g.
799# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
800# Virtuozzo VPS servers with a restricted numiptent value. This is because each
801# chain will effectively be duplicated while the update occurs, doubling the
802# number of iptables rules
803SAFECHAINUPDATE = "0"
804
805# If you wish to allow access from dynamic DNS records (for example if your IP
806# address changes whenever you connect to the internet but you have a dedicated
807# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
808# records in csf.dyndns and then set the following to the number of seconds to
809# poll for a change in the IP address. If the IP address has changed iptables
810# will be updated.
811#
812# If the FQDN has multiple A records then all of the IP addresses will be
813# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
814# also be allowed.
815#
816# A setting of 600 would check for IP updates every 10 minutes. Set the value
817# to 0 to disable the feature
818DYNDNS = "0"
819
820# To always ignore DYNDNS IP addresses in lfd blocking, set the following
821# option to 1
822DYNDNS_IGNORE = "0"
823
824# The follow Global options allow you to specify a URL where csf can grab a
825# centralised copy of an IP allow or deny block list of your own. You need to
826# specify the full URL in the following options, i.e.:
827# http://www.somelocation.com/allow.txt
828#
829# The actual retrieval of these IP's is controlled by lfd, so you need to set
830# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
831# will perform the retrieval when it runs and then again at the specified
832# interval. A sensible interval would probably be every 3600 seconds (1 hour).
833# A minimum value of 300 is enforced for LF_GLOBAL if enabled
834#
835# You do not have to specify both an allow and a deny file
836#
837# You can also configure a global ignore file for IP's that lfd should ignore
838LF_GLOBAL = "0"
839
840GLOBAL_ALLOW = ""
841GLOBAL_DENY = ""
842GLOBAL_IGNORE = ""
843
844# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
845# this to the URL of the file containing DYNDNS entries
846GLOBAL_DYNDNS = ""
847
848# Set the following to the number of seconds to poll for a change in the IP
849# address resoved from GLOBAL_DYNDNS
850GLOBAL_DYNDNS_INTERVAL = "600"
851
852# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
853# option to 1
854GLOBAL_DYNDNS_IGNORE = "0"
855
856# Blocklists are controlled by modifying /etc/csf/csf.blocklists
857#
858# If you don't want BOGON rules applied to specific NICs, then list them in
859# a comma separated list (e.g "eth1,eth2")
860LF_BOGON_SKIP = ""
861
862# The following option can be used to select either HTTP::Tiny or
863# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
864# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
865# have to be installed manually, but it can better support https:// URL's
866# which also needs the LWP::Protocol::https perl module
867#
868# For example:
869#
870# On rpm based systems:
871#
872# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
873#
874# On APT based systems:
875#
876# apt-get install libwww-perl liblwp-protocol-https-perl
877#
878# Via cpan:
879#
880# perl -MCPAN -eshell
881# cpan> install LWP LWP::Protocol::https
882#
883# We recommend setting this set to "2" as upgrades to csf will be performed
884# over SSL to https://download.configserver.com
885#
886# "1" = HTTP::Tiny
887# "2" = LWP::UserAgent
888URLGET = "2"
889
890###############################################################################
891# SECTION:Country Code Lists and Settings
892###############################################################################
893# Country Code to CIDR allow/deny. In the following two options you can allow
894# or deny whole country CIDR ranges. The CIDR blocks are generated from the
895# MaxMind GeoLite2 Country database at:
896# https://dev.MaxMind.com/geoip/geoip2/geolite2/
897# This feature relies entirely on that service being available
898#
899# Specify the the two-letter ISO Country Code(s). The iptables rules are for
900# incoming connections only
901#
902# Additionally, ASN numbers can also be added to the comma separated lists
903# below that also list Country Codes. The same WARNINGS for Country Codes apply
904# to the use of ASNs. More about Autonomous System Numbers (ASN):
905# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
906#
907# You should consider using LF_IPSET when using any of the following options
908#
909# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
910# non-geographic IP address designations for their clients
911#
912# WARNING: Some of the CIDR lists are huge and each one requires a rule within
913# the incoming iptables chain. This can result in significant performance
914# overheads and could render the server inaccessible in some circumstances. For
915# this reason (amongst others) we do not recommend using these options
916#
917# WARNING: Due to the resource constraints on VPS servers this feature should
918# not be used on such systems unless you choose very small CC zones
919#
920# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
921# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
922# preferred
923#
924# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
925CC_DENY = ""
926CC_ALLOW = ""
927
928# An alternative to CC_ALLOW is to only allow access from the following
929# countries but still filter based on the port and packets rules. All other
930# connections are dropped
931CC_ALLOW_FILTER = ""
932
933# This option allows access from the following countries to specific ports
934# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
935#
936# Note: The rules for this feature are inserted after the allow and deny
937# rules to still allow blocking of IP addresses
938#
939# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
940CC_ALLOW_PORTS = ""
941
942# All listed ports should be removed from TCP_IN/UDP_IN to block access from
943# elsewhere. This option uses the same format as TCP_IN/UDP_IN
944#
945# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
946# then only counties listed in CC_ALLOW_PORTS can access FTP
947CC_ALLOW_PORTS_TCP = ""
948CC_ALLOW_PORTS_UDP = ""
949
950# This option denies access from the following countries to specific ports
951# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
952#
953# Note: The rules for this feature are inserted after the allow and deny
954# rules to still allow allowing of IP addresses
955#
956# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
957CC_DENY_PORTS = ""
958
959# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
960# NOT be removed from TCP_IN/UDP_IN
961#
962# An example would be to list port 21 here then counties listed in
963# CC_DENY_PORTS cannot access FTP
964CC_DENY_PORTS_TCP = ""
965CC_DENY_PORTS_UDP = ""
966
967# This Country Code list will prevent lfd from blocking IP address hits for the
968# listed CC's
969#
970# CC_LOOKUPS must be enabled to use this option
971CC_IGNORE = ""
972
973# This Country Code list will only allow SMTP AUTH to be advertised to the
974# listed countries in EXIM. This is to help limit attempts at distributed
975# attacks against SMTP AUTH which are difficult to achive since port 25 needs
976# to be open to relay email
977#
978# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
979# connection, then SMTP AUTH will not accept logins, defeating the attacks
980# without restricting mail relaying
981#
982# This option can generate a very large list of IP addresses that could easily
983# severely impact on SMTP (mail) performance, so care must be taken when
984# selecting countries and if performance issues ensue
985#
986# The option SMTPAUTH_RESTRICT must be enabled to use this option
987CC_ALLOW_SMTPAUTH = ""
988
989# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
990# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
991# help reduce the number of CC entries and may improve iptables throughput.
992# Obviously, this will deny/allow fewer IP addresses depending on how small you
993# configure the option
994#
995# For example, to ignore all CIDR (and single IP) entries small than a /16, set
996# this option to "16". Set to "" to block all CC IP addresses
997CC_DROP_CIDR = ""
998
999# Display Country Code and Country for reported IP addresses. This option can
1000# be configured to use the MaxMind Country Database or the more detailed (and
1001# much larger and therefore slower) MaxMind City Database. An additional option
1002# is also available if you cannot use the MaxMind databases
1003#
1004# "0" - disable
1005# "1" - Reports: Country Code and Country
1006# "2" - Reports: Country Code and Country and Region and City
1007# "3" - Reports: Country Code and Country and Region and City and ASN
1008# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
1009#
1010# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
1011# uses a URL-based lookup from a third-party provider at https://freegeoip.net
1012# and so avoids having to download and process the large databases. Please
1013# visit the https://freegeoip.net and read their limitations and respect that
1014# this option will either cease to function or be removed by us if that site is
1015# abused or overloaded. ONLY use this option if you have difficulties using the
1016# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
1017# CC_* options above, which will continue to use the MaxMind databases
1018#
1019CC_LOOKUPS = "1"
1020
1021# Display Country Code and Country for reported IPv6 addresses using the
1022# MaxMind Country IPv6 Database
1023#
1024# "0" - disable
1025# "1" - enable and report the detail level as specified in CC_LOOKUPS
1026#
1027# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
1028# PORTFLOOD
1029CC6_LOOKUPS = "0"
1030
1031# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
1032# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
1033# days)
1034CC_INTERVAL = "14"
1035
1036###############################################################################
1037# SECTION:Login Failure Blocking and Alerts
1038###############################################################################
1039# The following[*] triggers are application specific. If you set LF_TRIGGER to
1040# "0" the value of each trigger is the number of failures against that
1041# application that will trigger lfd to block the IP address
1042#
1043# If you set LF_TRIGGER to a value greater than "0" then the following[*]
1044# application triggers are simply on or off ("0" or "1") and the value of
1045# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
1046# to block the IP address
1047#
1048# Setting the application trigger to "0" disables it
1049LF_TRIGGER = "0"
1050
1051# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
1052# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
1053# "1" and the IP address will be blocked temporarily for that value in seconds.
1054# For example:
1055# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
1056# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
1057#
1058# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
1059# in the same way as above and LF_TRIGGER_PERM serves no function
1060LF_TRIGGER_PERM = "1"
1061
1062# To only block access to the failed application instead of a complete block
1063# for an ip address, you can set the following to "1", but LF_TRIGGER must be
1064# set to "0" with specific application[*] trigger levels also set appropriately
1065#
1066# The ports that are blocked can be configured by changing the PORTS_* options
1067LF_SELECT = "0"
1068
1069# Send an email alert if an IP address is blocked by one of the [*] triggers
1070LF_EMAIL_ALERT = "1"
1071
1072# [*]Enable login failure detection of sshd connections
1073#
1074# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1075# this file about RESTRICT_SYSLOG before enabling this option:
1076LF_SSHD = "5"
1077LF_SSHD_PERM = "1"
1078
1079# [*]Enable login failure detection of ftp connections
1080#
1081# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1082# this file about RESTRICT_SYSLOG before enabling this option:
1083LF_FTPD = "10"
1084LF_FTPD_PERM = "1"
1085
1086# [*]Enable login failure detection of SMTP AUTH connections
1087LF_SMTPAUTH = "5"
1088LF_SMTPAUTH_PERM = "1"
1089
1090# [*]Enable syntax failure detection of Exim connections
1091LF_EXIMSYNTAX = "10"
1092LF_EXIMSYNTAX_PERM = "1"
1093
1094# [*]Enable login failure detection of pop3 connections
1095#
1096# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1097# this file about RESTRICT_SYSLOG before enabling this option:
1098LF_POP3D = "10"
1099LF_POP3D_PERM = "1"
1100
1101# [*]Enable login failure detection of imap connections
1102#
1103# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1104# this file about RESTRICT_SYSLOG before enabling this option:
1105LF_IMAPD = "10"
1106LF_IMAPD_PERM = "1"
1107
1108# [*]Enable login failure detection of Apache .htpasswd connections
1109# Due to the often high logging rate in the Apache error log, you might want to
1110# enable this option only if you know you are suffering from attacks against
1111# password protected directories
1112LF_HTACCESS = "5"
1113LF_HTACCESS_PERM = "1"
1114
1115# [*]Enable login failure detection of cpanel, webmail and whm connections
1116LF_CPANEL = "5"
1117LF_CPANEL_PERM = "1"
1118
1119# [*]Enable failure detection of repeated Apache mod_security rule triggers
1120LF_MODSEC = "5"
1121LF_MODSEC_PERM = "1"
1122
1123# [*]Enable detection of repeated BIND denied requests
1124# This option should be enabled with care as it will prevent blocked IPs from
1125# resolving any domains on the server. You might want to set the trigger value
1126# reasonably high to avoid this
1127# Example: LF_BIND = "100"
1128LF_BIND = "0"
1129LF_BIND_PERM = "1"
1130
1131# [*]Enable detection of repeated suhosin ALERTs
1132# Example: LF_SUHOSIN = "5"
1133#
1134# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1135# this file about RESTRICT_SYSLOG before enabling this option:
1136LF_SUHOSIN = "0"
1137LF_SUHOSIN_PERM = "1"
1138
1139# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
1140# This option will block IP addresses if cxs detects a hits from the
1141# ModSecurity rule associated with it
1142#
1143# Note: This option takes precedence over LF_MODSEC and removes any hits
1144# counted towards LF_MODSEC for the cxs rule
1145#
1146# This setting should probably set very low, perhaps to 1, if you want to
1147# effectively block IP addresses for this trigger option
1148LF_CXS = "0"
1149LF_CXS_PERM = "1"
1150
1151# [*]Enable detection of repeated Apache mod_qos rule triggers
1152LF_QOS = "0"
1153LF_QOS_PERM = "1"
1154
1155# [*]Enable detection of repeated Apache symlink race condition triggers from
1156# the Apache patch provided by:
1157# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
1158# This patch has also been included by cPanel via the easyapache option:
1159# "Symlink Race Condition Protection"
1160LF_SYMLINK = "0"
1161LF_SYMLINK_PERM = "1"
1162
1163# [*]Enable login failure detection of webmin connections
1164#
1165# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1166# this file about RESTRICT_SYSLOG before enabling this option:
1167LF_WEBMIN = "0"
1168LF_WEBMIN_PERM = "1"
1169
1170# Send an email alert if anyone logs in successfully using SSH
1171#
1172# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1173# this file about RESTRICT_SYSLOG before enabling this option:
1174LF_SSH_EMAIL_ALERT = "1"
1175
1176# Send an email alert if anyone uses su to access another account. This will
1177# send an email alert whether the attempt to use su was successful or not
1178#
1179# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1180# this file about RESTRICT_SYSLOG before enabling this option:
1181LF_SU_EMAIL_ALERT = "1"
1182
1183# Send an email alert if anyone accesses webmin
1184#
1185# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1186# this file about RESTRICT_SYSLOG before enabling this option:
1187LF_WEBMIN_EMAIL_ALERT = "1"
1188
1189# Send an email alert if anyone logs in successfully to root on the console
1190#
1191# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1192# this file about RESTRICT_SYSLOG before enabling this option:
1193LF_CONSOLE_EMAIL_ALERT = "1"
1194
1195# This option will keep track of the number of "File does not exist" errors in
1196# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
1197# seconds then the IP address will be blocked
1198#
1199# Care should be used with this option as it could generate many
1200# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
1201# so only use this option if you know you are under this type of attack
1202#
1203# A sensible setting for this would be quite high, perhaps 200
1204#
1205# To disable set to "0"
1206LF_APACHE_404 = "0"
1207
1208# If this option is set to 1 the blocks will be permanent
1209# If this option is > 1, the blocks will be temporary for the specified number
1210# of seconds
1211LF_APACHE_404_PERM = "3600"
1212
1213# This option will keep track of the number of "client denied by server
1214# configuration" errors in HTACCESS_LOG. If the number of hits is more than
1215# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
1216#
1217# Care should be used with this option as it could generate many
1218# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
1219# so only use this option if you know you are under this type of attack
1220#
1221# To disable set to "0"
1222LF_APACHE_403 = "0"
1223
1224# If this option is set to 1 the blocks will be permanent
1225# If this option is > 1, the blocks will be temporary for the specified number
1226# of seconds
1227LF_APACHE_403_PERM = "3600"
1228
1229# This option will keep track of the number of 401 failures in HTACCESS_LOG.
1230# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
1231# the IP address will be blocked
1232#
1233# To disable set to "0"
1234LF_APACHE_401 = "0"
1235
1236# If this option is set to 1 the blocks will be permanent
1237# If this option is > 1, the blocks will be temporary for the specified number
1238# of seconds
1239LF_APACHE_401_PERM = "3600"
1240
1241# This option is used to determine if the Apache error_log format contains the
1242# client port after the client IP. In Apache prior to v2.4, this was not the
1243# case. In Apache v2.4+ the error_log format can be configured using
1244# ErrorLogFormat, making the port directive optional
1245#
1246# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
1247# to the client IP by default. This makes determining client IPv6 addresses
1248# difficult unless we know whether the port is being appended or not
1249#
1250# lfd will attempt to autodetect the correct value if this option is set to "0"
1251# from the httpd binary found in common locations. If it fails to find a binary
1252# it will be set to "2", unless specified here
1253#
1254# The value can be set here explicitly if the autodetection does not work:
1255# 0 - autodetect
1256# 1 - no port directive after client IP
1257# 2 - port directive after client IP
1258LF_APACHE_ERRPORT = "0"
1259
1260# Send an email alert if anyone accesses WHM/cPanel via an account listed in
1261# LF_CPANEL_ALERT_USERS. An IP address will be reported again 1 hour after the
1262# last tracked access (or if lfd is restarted)
1263LF_CPANEL_ALERT = "1"
1264
1265# If a LF_CPANEL_ALERT event is triggered, then if the following contains the
1266# path to a script, it will run the script and passed the ip and username and
1267# the DNS IP lookup result as 3 arguments
1268#
1269# The action script must have the execute bit and interpreter (shebang) set
1270LF_CPANEL_ALERT_ACTION = ""
1271
1272# This is a comma separated list of accounts to send alerts for. To send an
1273# alert for all accounts set this to "all"
1274LF_CPANEL_ALERT_USERS = "root"
1275
1276# This settings re-enables the cPanel Bandwith chains after iptables is
1277# configured. If bandmin is not functioning, or you don't use the bandmin stats
1278# you can disable this option
1279LF_CPANEL_BANDMIN = "1"
1280
1281# Enable scanning of the exim mainlog for repeated emails sent from scripts.
1282# To use this feature the exim log_selector option must at least be set to:
1283#
1284# log_selector = +arguments +subject +received_recipients
1285#
1286# If you already use extended exim logging, then you need to either include
1287# +arguments +received_recipients or use +all
1288#
1289# This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
1290# appear with the same cwd= path in them within an hour. This can be useful in
1291# identifying spamming scripts on a server, especially PHP scripts running
1292# under the nobody account. The email that is sent includes the exim log lines
1293# and also attempts to find scripts that send email in the path that may be the
1294# culprit
1295LF_SCRIPT_ALERT = "0"
1296
1297# The limit afterwhich the email alert for email scripts is sent. Care should
1298# be taken with this value if you allow clients to use web scripts to maintain
1299# pseudo-mailing lists which have large recipients
1300LF_SCRIPT_LIMIT = "100"
1301
1302# If an LF_SCRIPT_ALERT event is triggered, then if the following can contain
1303# the path to a script, it will be run in a child process and passed the
1304# following information as parameters which also appears in the email alert:
1305# Path to the directory containing the script that is sending the email
1306# Count of emails sent
1307# Sample of the first 10 emails
1308# List of possible email scripts within Path
1309#
1310# The action script must have the execute bit and interpreter (shebang) set
1311LF_SCRIPT_ACTION = ""
1312
1313# If this option is enabled, the directory identified by LF_SCRIPT_ALERT will
1314# be chmod 0 and chattr +i to prevent it being accessed. Set the option to 1
1315# to enable.
1316#
1317# WARNING: This option could cause serious system problems if the identified
1318# directory is within the OS directory hierarchy. For this reason we do not
1319# recommend enabling it unless absolutely necessary.
1320LF_SCRIPT_PERM = "0"
1321
1322# Checks the length of the exim queue and sends an alert email if the value of
1323# settings is exceeded. If the ConfigServer MailScanner configuration is used
1324# then both the pending and delivery queues will be checked.
1325#
1326# Note: If there are problems sending out email, this alert may not be received
1327# To disable set to "0"
1328LF_QUEUE_ALERT = "2000"
1329
1330# The interval between mail queue checks in seconds. This should not be set too
1331# low on servers that often have long queues as the exim binary can use
1332# significant resources when checking its queue length
1333LF_QUEUE_INTERVAL = "300"
1334
1335# This option will send an alert if the ModSecurity IP persistent storage grows
1336# excessively large: https://goo.gl/rGh5sF
1337#
1338# More information on cPanel servers here: https://goo.gl/vo6xTE
1339#
1340# The check is performed at lfd startup and then once per hour, the template
1341# used is modsecipdbalert.txt
1342#
1343# LF_MODSECIPDB_FILE must be set to the correct location of the database file
1344#
1345# Set to "0" to disable this option, otherwise it is the threshold size of the
1346# file to report in gigabytes, e.g. set to 5 for 5GB
1347LF_MODSECIPDB_ALERT = "5"
1348
1349# This is the location of the persistent IP storage file on the server, e.g.:
1350# /var/run/modsecurity/data/ip.pag
1351# /var/cpanel/secdatadir/ip.pag
1352# /var/cache/modsecurity/ip.pag
1353# /usr/local/apache/conf/modsec/data/msa/ip.pag
1354# /var/tmp/ip.pag
1355# /tmp/ip.pag
1356LF_MODSECIPDB_FILE = "/var/cpanel/secdatadir/ip.pag"
1357
1358# System Exploit Checking. This option is designed to perform a series of tests
1359# to send an alert in case a possible server compromise is detected
1360#
1361# To enable this feature set the following to the checking interval in seconds
1362# (a value of 300 would seem sensible).
1363#
1364# To disable set to "0"
1365LF_EXPLOIT = "300"
1366
1367# This comma separated list allows you to ignore tests LF_EXPLOIT performs
1368#
1369# For the SUPERUSER check, you can list usernames in csf.suignore to have them
1370# ignored for that test
1371#
1372# Valid tests are:
1373# SUPERUSER,SSHDSPAM
1374#
1375# If you want to ignore a test add it to this as a comma separated list, e.g.
1376# "SUPERUSER,SSHDSPAM"
1377LF_EXPLOIT_IGNORE = ""
1378
1379# Set the time interval to track login and other LF_ failures within (seconds),
1380# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
1381LF_INTERVAL = "3600"
1382
1383# This is how long the lfd process sleeps (in seconds) before processing the
1384# log file entries and checking whether other events need to be triggered
1385LF_PARSE = "5"
1386
1387# This is the interval that is used to flush reports of usernames, files and
1388# pids so that persistent problems continue to be reported, in seconds.
1389# A value of 3600 seems sensible
1390LF_FLUSH = "3600"
1391
1392# Under some circumstances iptables can fail to include a rule instruction,
1393# especially if more than one request is made concurrently. In this event, a
1394# permanent block entry may exist in csf.deny, but not in iptables.
1395#
1396# This option instructs csf to deny an already blocked IP address the number
1397# of times set. The downside, is that there will be multiple entries for an IP
1398# address in csf.deny and possibly multiple rules for the same IP address in
1399# iptables. This needs to be taken into consideration when unblocking such IP
1400# addresses.
1401#
1402# Set to "0" to disable this feature. Do not set this too high for the reasons
1403# detailed above (e.g. "5" should be more than enough)
1404LF_REPEATBLOCK = "0"
1405
1406# By default csf will create both an inbound and outbound blocks from/to an IP
1407# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
1408# effective way to block IP traffic. This option instructs csf to only block
1409# inbound traffic from those IP's and so reduces the number of iptables rules,
1410# but at the expense of less effectiveness. For this reason we recommend
1411# leaving this option disabled
1412#
1413# Set to "0" to disable this feature - the default
1414LF_BLOCKINONLY = "0"
1415
1416###############################################################################
1417# SECTION:CloudFlare
1418###############################################################################
1419# This features provides interaction with the CloudFlare Firewall
1420#
1421# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
1422# iptables is concerned) come from the CloudFlare IP's. To counter this, an
1423# Apache module (mod_cloudflare) is available that obtains the true attackers
1424# IP from a custom HTTP header record (similar functionality is available
1425# for other HTTP daemons
1426#
1427# However, despite now knowing the true attacking IP address, iptables cannot
1428# be used to block that IP as the traffic is still coming from the CloudFlare
1429# servers
1430#
1431# CloudFlare have provided a Firewall feature within the user account where
1432# rules can be added to block, challenge or whitelist IP addresses
1433#
1434# Using the CloudFlare API, this feature adds and removes attacking IPs from
1435# that firewall and provides CLI (and via the UI) additional commands
1436#
1437# See /etc/csf/readme.txt for more information about this feature and the
1438# restrictions for its use BEFORE enabling this feature
1439CF_ENABLE = "0"
1440
1441# If the CloudFlare user plugin has been installed, enable this setting to use
1442# per cPanel account settings rather than listing each account in
1443# /etc/csf/csf.cloudflare
1444CF_CPANEL = ""
1445
1446# This can be set to either "block" or "challenge" (see CloudFlare docs)
1447CF_BLOCK = "block"
1448
1449# This setting determines how long the temporary block will apply within csf
1450# and CloudFlare, keeping them in sync
1451#
1452# Block duration in seconds - overrides perm block or time of individual blocks
1453# in lfd for block triggers
1454CF_TEMP = "3600"
1455
1456###############################################################################
1457# SECTION:Directory Watching & Integrity
1458###############################################################################
1459# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
1460# directories for suspicious files, i.e. script exploits. If a suspicious
1461# file is found an email alert is sent. One alert per file per LF_FLUSH
1462# interval is sent
1463#
1464# To enable this feature set the following to the checking interval in seconds.
1465# To disable set to "0"
1466LF_DIRWATCH = "300"
1467
1468# To remove any suspicious files found during directory watching, enable the
1469# following. These files will be appended to a tarball in
1470# /var/lib/suspicious.tar
1471LF_DIRWATCH_DISABLE = "0"
1472
1473# This option allows you to have lfd watch a particular file or directory for
1474# changes and should they change and email alert using watchalert.txt is sent
1475#
1476# To enable this feature set the following to the checking interval in seconds
1477# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
1478#
1479# Set to disable set to "0"
1480LF_DIRWATCH_FILE = "0"
1481
1482# System Integrity Checking. This enables lfd to compare md5sums of the
1483# servers OS binary application files from the time when lfd starts. If the
1484# md5sum of a monitored file changes an alert is sent. This option is intended
1485# as an IDS (Intrusion Detection System) and is the last line of detection for
1486# a possible root compromise.
1487#
1488# There will be constant false-positives as the servers OS is updated or
1489# monitored application binaries are updated. However, unexpected changes
1490# should be carefully inspected.
1491#
1492# Modified files will only be reported via email once.
1493#
1494# To enable this feature set the following to the checking interval in seconds
1495# (a value of 3600 would seem sensible). This option may increase server I/O
1496# load onto the server as it checks system binaries.
1497#
1498# To disable set to "0"
1499LF_INTEGRITY = "3600"
1500
1501###############################################################################
1502# SECTION:Distributed Attacks
1503###############################################################################
1504# Distributed Account Attack. This option will keep track of login failures
1505# from distributed IP addresses to a specific application account. If the
1506# number of failures matches the trigger value above, ALL of the IP addresses
1507# involved in the attack will be blocked according to the temp/perm rules above
1508#
1509# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD,
1510# LF_HTACCESS
1511#
1512# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1513# this file about RESTRICT_SYSLOG before enabling this option:
1514LF_DISTATTACK = "0"
1515
1516# Set the following to the minimum number of unique IP addresses that trigger
1517# LF_DISTATTACK
1518LF_DISTATTACK_UNIQ = "2"
1519
1520# Distributed FTP Logins. This option will keep track of successful FTP logins.
1521# If the number of successful logins to an individual account is at least
1522# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
1523# then all of the IP addresses will be blocked
1524#
1525# This option can help mitigate the common FTP account compromise attacks that
1526# use a distributed network of zombies to deface websites
1527#
1528# A sensible setting for this might be 5, depending on how many different
1529# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
1530#
1531# To disable set to "0"
1532#
1533# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1534# this file about RESTRICT_SYSLOG before enabling this option:
1535LF_DISTFTP = "0"
1536
1537# Set the following to the minimum number of unique IP addresses that trigger
1538# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
1539LF_DISTFTP_UNIQ = "3"
1540
1541# If this option is set to 1 the blocks will be permanent
1542# If this option is > 1, the blocks will be temporary for the specified number
1543# of seconds
1544LF_DISTFTP_PERM = "1"
1545
1546# Send an email alert if LF_DISTFTP is triggered
1547LF_DISTFTP_ALERT = "1"
1548
1549# Distributed SMTP Logins. This option will keep track of successful SMTP
1550# logins. If the number of successful logins to an individual account is at
1551# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
1552# addresses, then all of the IP addresses will be blocked. These options only
1553# apply to the exim MTA
1554#
1555# This option can help mitigate the common SMTP account compromise attacks that
1556# use a distributed network of zombies to send spam
1557#
1558# A sensible setting for this might be 5, depending on how many different
1559# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
1560#
1561# To disable set to "0"
1562LF_DISTSMTP = "0"
1563
1564# Set the following to the minimum number of unique IP addresses that trigger
1565# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
1566LF_DISTSMTP_UNIQ = "3"
1567
1568# If this option is set to 1 the blocks will be permanent
1569# If this option is > 1, the blocks will be temporary for the specified number
1570# of seconds
1571LF_DISTSMTP_PERM = "1"
1572
1573# Send an email alert if LF_DISTSMTP is triggered
1574LF_DISTSMTP_ALERT = "1"
1575
1576# This is the interval during which a distributed FTP or SMTP attack is
1577# measured
1578LF_DIST_INTERVAL = "300"
1579
1580# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
1581# path to a script, it will run the script and pass the following as arguments:
1582#
1583# LF_DISTFTP/LF_DISTSMTP
1584# account name
1585# log file text
1586#
1587# The action script must have the execute bit and interpreter (shebang) set
1588LF_DIST_ACTION = ""
1589
1590###############################################################################
1591# SECTION:Login Tracking
1592###############################################################################
1593# Block POP3 logins if greater than LT_POP3D times per hour per account per IP
1594# address (0=disabled)
1595#
1596# This is a temporary block for the rest of the hour, afterwhich the IP is
1597# unblocked
1598#
1599# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1600# this file about RESTRICT_SYSLOG before enabling this option:
1601LT_POP3D = "0"
1602
1603# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
1604# address (0=disabled) - not recommended for IMAP logins due to the ethos
1605# within which IMAP works. If you want to use this, setting it quite high is
1606# probably a good idea
1607#
1608# This is a temporary block for the rest of the hour, afterwhich the IP is
1609# unblocked
1610#
1611# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1612# this file about RESTRICT_SYSLOG before enabling this option:
1613LT_IMAPD = "0"
1614
1615# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
1616# per IP
1617LT_EMAIL_ALERT = "1"
1618
1619# If LF_PERMBLOCK is enabled but you do not want this to apply to
1620# LT_POP3D/LT_IMAPD, then enable this option
1621LT_SKIPPERMBLOCK = "0"
1622
1623###############################################################################
1624# SECTION:Relay Tracking
1625###############################################################################
1626# Relay Tracking. This allows you to track email that is relayed through the
1627# server. There are also options to send alerts and block external IP addresses
1628# if the number of emails relayed per hour exceeds configured limits. The
1629# blocks can be either permanent or temporary.
1630#
1631# The following information applies to each of the following types of relay
1632# check:
1633# RT_[relay type]_ALERT: 0 = disable, 1 = enable
1634# RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent
1635# RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs
1636
1637# This option triggers for external email
1638RT_RELAY_ALERT = "1"
1639RT_RELAY_LIMIT = "100"
1640RT_RELAY_BLOCK = "0"
1641
1642# This option triggers for email authenticated by SMTP AUTH
1643RT_AUTHRELAY_ALERT = "1"
1644RT_AUTHRELAY_LIMIT = "100"
1645RT_AUTHRELAY_BLOCK = "0"
1646
1647# This option triggers for email authenticated by POP before SMTP
1648RT_POPRELAY_ALERT = "1"
1649RT_POPRELAY_LIMIT = "100"
1650RT_POPRELAY_BLOCK = "0"
1651
1652# This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim
1653RT_LOCALRELAY_ALERT = "1"
1654RT_LOCALRELAY_LIMIT = "100"
1655
1656# This option triggers for email sent via a local IP addresses
1657RT_LOCALHOSTRELAY_ALERT = "1"
1658RT_LOCALHOSTRELAY_LIMIT = "100"
1659
1660# If an RT_* event is triggered, then if the following contains the path to
1661# a script, it will be run in a child process and passed the following:
1662# information as parameters which also appears in the email alert:
1663# IP Address
1664# Relay Type (RELAY/AUTHRELAY/POPRELAY/LOCALRELAY/LOCALHOSTRELAY)
1665# Block Message (Temporary/Permanent Block)
1666# Count of emails relayed
1667# Sample of the first 10 emails
1668#
1669# The action script must have the execute bit and interpreter (shebang) set
1670RT_ACTION = ""
1671
1672###############################################################################
1673# SECTION:Connection Tracking
1674###############################################################################
1675# Connection Tracking. This option enables tracking of all connections from IP
1676# addresses to the server. If the total number of connections is greater than
1677# this value then the offending IP address is blocked. This can be used to help
1678# prevent some types of DOS attack.
1679#
1680# Care should be taken with this option. It's entirely possible that you will
1681# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
1682# and HTTP so it could be quite easy to trigger, especially with a lot of
1683# closed connections in TIME_WAIT. However, for a server that is prone to DOS
1684# attacks this may be very useful. A reasonable setting for this option might
1685# be around 300.
1686#
1687# To disable this feature, set this to 0
1688CT_LIMIT = "0"
1689
1690# Connection Tracking interval. Set this to the the number of seconds between
1691# connection tracking scans
1692CT_INTERVAL = "30"
1693
1694# Send an email alert if an IP address is blocked due to connection tracking
1695CT_EMAIL_ALERT = "1"
1696
1697# If you want to make IP blocks permanent then set this to 1, otherwise blocks
1698# will be temporary and will be cleared after CT_BLOCK_TIME seconds
1699CT_PERMANENT = "0"
1700
1701# If you opt for temporary IP blocks for CT, then the following is the interval
1702# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
1703CT_BLOCK_TIME = "1800"
1704
1705# If you don't want to count the TIME_WAIT state against the connection count
1706# then set the following to "1"
1707CT_SKIP_TIME_WAIT = "0"
1708
1709# If you only want to count specific states (e.g. SYN_RECV) then add the states
1710# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
1711#
1712# Leave this option empty to count all states against CT_LIMIT
1713CT_STATES = ""
1714
1715# If you only want to count specific ports (e.g. 80,443) then add the ports
1716# to the following as a comma separated list. E.g. "80,443"
1717#
1718# Leave this option empty to count all ports against CT_LIMIT
1719CT_PORTS = ""
1720
1721###############################################################################
1722# SECTION:Process Tracking
1723###############################################################################
1724# Process Tracking. This option enables tracking of user and nobody processes
1725# and examines them for suspicious executables or open network ports. Its
1726# purpose is to identify potential exploit processes that are running on the
1727# server, even if they are obfuscated to appear as system services. If a
1728# suspicious process is found an alert email is sent with relevant information.
1729# It is then the responsibility of the recipient to investigate the process
1730# further as the script takes no further action
1731#
1732# The following is the number of seconds a process has to be active before it
1733# is inspected. If you set this time too low, then you will likely trigger
1734# false-positives with CGI or PHP scripts.
1735# Set the value to 0 to disable this feature
1736PT_LIMIT = "60"
1737
1738# How frequently processes are checked in seconds
1739PT_INTERVAL = "60"
1740
1741# If you want process tracking to highlight php or perl scripts that are run
1742# through apache then disable the following,
1743# i.e. set it to 0
1744#
1745# While enabling this setting will reduce false-positives, having it set to 0
1746# does provide better checking for exploits running on the server
1747PT_SKIP_HTTP = "0"
1748
1749# If you want to track all linux accounts on a cPanel server, not just users
1750# that are part of cPanel, then enable this option. This is recommended to
1751# improve security from compromised accounts
1752#
1753# Set to 0 to disable the feature, 1 to enable it
1754PT_ALL_USERS = "0"
1755
1756# lfd will report processes, even if they're listed in csf.pignore, if they're
1757# tagged as (deleted) by Linux. This information is provided in Linux under
1758# /proc/PID/exe. A (deleted) process is one that is running a binary that has
1759# the inode for the file removed from the file system directory. This usually
1760# happens when the binary has been replaced due to an upgrade for it by the OS
1761# vendor or another third party (e.g. cPanel). You need to investigate whether
1762# this is indeed the case to be sure that the original binary has not been
1763# replaced by a rootkit or is running an exploit.
1764#
1765# Note: If a deleted executable process is detected and reported then lfd will
1766# not report children of the parent (or the parent itself if a child triggered
1767# the report) if the parent is also a deleted executable process
1768#
1769# To stop lfd reporting such process you need to restart the daemon to which it
1770# belongs and therefore run the process using the replacement binary (presuming
1771# one exists). This will normally mean running the associated startup script in
1772# /etc/init.d/
1773#
1774# If you do want lfd to report deleted binary processes, set to 1
1775PT_DELETED = "0"
1776
1777# If a PT_DELETED event is triggered, then if the following contains the path to
1778# a script, it will be run in a child process and passed the executable, pid,
1779# account for the process, and parent pid
1780#
1781# The action script must have the execute bit and interpreter (shebang) set. An
1782# example is provided in /usr/local/csf/bin/pt_deleted_action.pl
1783#
1784# WARNING: Make sure you read and understand the potential security
1785# implications of such processes in PT_DELETED above before simply restarting
1786# such processes with a script
1787PT_DELETED_ACTION = ""
1788
1789# User Process Tracking. This option enables the tracking of the number of
1790# process any given account is running at one time. If the number of processes
1791# exceeds the value of the following setting an email alert is sent with
1792# details of those processes. If you specify a user in csf.pignore it will be
1793# ignored
1794#
1795# Set to 0 to disable this feature
1796PT_USERPROC = "10"
1797
1798# This User Process Tracking option sends an alert if any user process exceeds
1799# the virtual memory usage set (MB). To ignore specific processes or users use
1800# csf.pignore
1801#
1802# Set to 0 to disable this feature
1803PT_USERMEM = "512"
1804
1805# This User Process Tracking option sends an alert if any user process exceeds
1806# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific
1807# processes or users use csf.pignore
1808#
1809# Set to 0 to disable this feature
1810PT_USERRSS = "256"
1811
1812# This User Process Tracking option sends an alert if any cPanel user process
1813# exceeds the time usage set (seconds). To ignore specific processes or users
1814# use csf.pignore
1815#
1816# Set to 0 to disable this feature
1817PT_USERTIME = "1800"
1818
1819# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
1820# PT_USERPROC are killed
1821#
1822# Warning: We don't recommend enabling this option unless absolutely necessary
1823# as it can cause unexpected problems when processes are suddenly terminated.
1824# It can also lead to system processes being terminated which could cause
1825# stability issues. It is much better to leave this option disabled and to
1826# investigate each case as it is reported when the triggers above are breached
1827#
1828# Note: Processes that are running deleted excecutables (see PT_DELETED) will
1829# not be killed by lfd
1830PT_USERKILL = "0"
1831
1832# If you want to disable email alerts if PT_USERKILL is triggered, then set
1833# this option to 0
1834PT_USERKILL_ALERT = "1"
1835
1836# If a PT_* event is triggered, then if the following contains the path to
1837# a script, it will be run in a child process and passed the PID(s) of the
1838# process(es) in a comma separated list.
1839#
1840# The action script must have the execute bit and interpreter (shebang) set
1841PT_USER_ACTION = ""
1842
1843# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
1844# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
1845# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
1846# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
1847# seconds has passed to prevent email floods.
1848#
1849# Set PT_LOAD to "0" to disable this feature
1850PT_LOAD = "30"
1851PT_LOAD_AVG = "5"
1852PT_LOAD_LEVEL = "6"
1853PT_LOAD_SKIP = "3600"
1854
1855# This is the Apache Server Status URL used in the email alert. Requires the
1856# Apache mod_status module to be installed and configured correctly
1857PT_APACHESTATUS = "http://127.0.0.1/whm-server-status"
1858
1859# If a PT_LOAD event is triggered, then if the following contains the path to
1860# a script, it will be run in a child process. For example, the script could
1861# contain commands to terminate and restart httpd, php, exim, etc incase of
1862# looping processes. The action script must have the execute bit an
1863# interpreter (shebang) set
1864PT_LOAD_ACTION = ""
1865
1866# Fork Bomb Protection. This option checks the number of processes with the
1867# same session id and if greater than the value set, the whole session tree is
1868# terminated and an alert sent
1869#
1870# You can see an example of common session id processes on most Linux systems
1871# using: "ps axf -O sid"
1872#
1873# On cPanel servers, PT_ALL_USERS should be enabled to use this option
1874# effectively
1875#
1876# This option will check root owned processes. Session id 0 and 1 will always
1877# be ignored as they represent kernel and init processes. csf.pignore will be
1878# honoured, but bear in mind that a session tree can contain a variety of users
1879# and executables
1880#
1881# Care needs to be taken to ensure that this option only detects runaway fork
1882# bombs, so should be set higher than any session tree is likely to get (e.g.
1883# httpd could have 100s of legitimate children on very busy systems). A
1884# sensible starting point on most servers might be 250
1885PT_FORKBOMB = "0"
1886
1887# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes
1888# are often left hanging after their connecting IP addresses have been blocked
1889#
1890# This option will terminate the SSH processes created by the blocked IP. This
1891# option is preferred over PT_SSHDHUNG
1892PT_SSHDKILL = "0"
1893
1894# This option will terminate all processes with the cmdline of "sshd: unknown
1895# [net]" or "sshd: unknown [priv]" if they have been running for more than 60
1896# seconds
1897#
1898# This option is now deprecated and will be removed in the future. PT_SSHDKILL
1899# should be used instead
1900PT_SSHDHUNG = "0"
1901
1902###############################################################################
1903# SECTION:Port Scan Tracking
1904###############################################################################
1905# Port Scan Tracking. This feature tracks port blocks logged by iptables to
1906# syslog. If an IP address generates a port block that is logged more than
1907# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
1908#
1909# This feature could, for example, be useful for blocking hackers attempting
1910# to access the standard SSH port if you have moved it to a port other than 22
1911# and have removed 22 from the TCP_IN list so that connection attempts to the
1912# old port are being logged
1913#
1914# This feature blocks all iptables blocks from the iptables logs, including
1915# repeated attempts to one port or SYN flood blocks, etc
1916#
1917# Note: This feature will only track iptables blocks from the log file set in
1918# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
1919# cause redundant blocking with DROP_IP_LOGGING enabled
1920#
1921# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
1922# could very quickly fill the iptables rule chains and cause a DOS in itself.
1923# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
1924# and the DENY_TEMP_IP_LIMIT with temporary blocks
1925#
1926# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1927# would be sensible to enable this feature
1928#
1929# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1930# this file about RESTRICT_SYSLOG before enabling this option:
1931PS_INTERVAL = "0"
1932PS_LIMIT = "10"
1933
1934# You can specify the ports and/or port ranges that should be tracked by the
1935# Port Scan Tracking feature. The following setting is a comma separated list
1936# of those ports and uses the same format as TCP_IN. The setting of
1937# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports
1938#
1939# Special values are:
1940# ICMP - include ICMP blocks (see ICMP_*)
1941# INVALID - include INVALID blocks (see PACKET_FILTER)
1942# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
1943# BRD - include UDP Broadcast IPs, otherwise they are ignored
1944PS_PORTS = "0:65535,ICMP"
1945
1946# To specify how many different ports qualifies as a Port Scan you can increase
1947# the following from the default value of 1. The risk in doing so will mean
1948# that persistent attempts to attack a specific closed port will not be
1949# detected and blocked
1950PS_DIVERSITY = "1"
1951
1952# You can select whether IP blocks for Port Scan Tracking should be temporary
1953# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
1954# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
1955# temporarily block the IP address for
1956PS_PERMANENT = "0"
1957PS_BLOCK_TIME = "3600"
1958
1959# Set the following to "1" to enable Port Scan Tracking email alerts, set to
1960# "0" to disable them
1961PS_EMAIL_ALERT = "1"
1962
1963###############################################################################
1964# SECTION:User ID Tracking
1965###############################################################################
1966# User ID Tracking. This feature tracks UID blocks logged by iptables to
1967# syslog. If a UID generates a port block that is logged more than UID_LIMIT
1968# times within UID_INTERVAL seconds, an alert will be sent
1969#
1970# Note: This feature will only track iptables blocks from the log file set in
1971# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.
1972#
1973# To ignore specific UIDs list them in csf.uidignore and then restart lfd
1974#
1975# Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1976# would be sensible to enable this feature
1977#
1978# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1979# this file about RESTRICT_SYSLOG before enabling this option:
1980UID_INTERVAL = "0"
1981UID_LIMIT = "10"
1982
1983# You can specify the ports and/or port ranges that should be tracked by the
1984# User ID Tracking feature. The following setting is a comma separated list
1985# of those ports and uses the same format as TCP_OUT. The default setting of
1986# 0:65535,ICMP covers all ports
1987UID_PORTS = "0:65535,ICMP"
1988
1989###############################################################################
1990# SECTION:Account Tracking
1991###############################################################################
1992# Account Tracking. The following options enable the tracking of modifications
1993# to the accounts on a server. If any of the enabled options are triggered by
1994# a modifications to an account, an alert email is sent. Only the modification
1995# is reported. The cause of the modification will have to be investigated
1996# manually
1997#
1998# You can set AT_ALERT to the following:
1999# 0 = disable this feature
2000# 1 = enable this feature for all accounts
2001# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
2002# 3 = enable this feature only for the root account
2003AT_ALERT = "2"
2004
2005# This options is the interval between checks in seconds
2006AT_INTERVAL = "60"
2007
2008# Send alert if a new account is created
2009AT_NEW = "1"
2010
2011# Send alert if an existing account is deleted
2012AT_OLD = "1"
2013
2014# Send alert if an account password has changed
2015AT_PASSWD = "1"
2016
2017# Send alert if an account uid has changed
2018AT_UID = "1"
2019
2020# Send alert if an account gid has changed
2021AT_GID = "1"
2022
2023# Send alert if an account login directory has changed
2024AT_DIR = "1"
2025
2026# Send alert if an account login shell has changed
2027AT_SHELL = "1"
2028
2029###############################################################################
2030# SECTION:Integrated User Interface
2031###############################################################################
2032# Integrated User Interface. This feature provides a HTML UI to csf and lfd,
2033# without requiring a control panel or web server. The UI runs as a sub process
2034# to the lfd daemon
2035#
2036# As it runs under the root account and successful login provides root access
2037# to the server, great care should be taken when configuring and using this
2038# feature. There are additional restrictions to enhance secure access to the UI
2039#
2040# See readme.txt for more information about using this feature BEFORE enabling
2041# it for security and access reasons
2042#
2043# 1 to enable, 0 to disable
2044UI = "0"
2045
2046# Set this to the port that want to bind this service to. You should configure
2047# this port to be >1023 and different from any other port already being used
2048#
2049# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
2050# to the port using Advanced Allow Filters (see readme.txt)
2051UI_PORT = "6666"
2052
2053# Optionally set the IP address to bind to. Normally this should be left blank
2054# to bind to all IP addresses on the server.
2055#
2056# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
2057# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
2058# ::ffff:1.2.3.4
2059#
2060# Leave blank to bind to all IP addresses on the server
2061UI_IP = ""
2062
2063# This should be a secure, hard to guess username
2064#
2065# This must be changed from the default
2066UI_USER = "username"
2067
2068# This should be a secure, hard to guess password. That is, at least 8
2069# characters long with a mixture of upper and lowercase characters plus
2070# numbers and non-alphanumeric characters
2071#
2072# This must be changed from the default
2073UI_PASS = "password"
2074
2075# This is the login session timeout. If there is no activity for a logged in
2076# session within this number of seconds, the session will timeout and a new
2077# login will be required
2078#
2079# For security reasons, you should always keep this option low (i.e 60-300)
2080UI_TIMEOUT = "300"
2081
2082# This is the maximum concurrent connections allowed to the server. The default
2083# value should be sufficient
2084UI_CHILDREN = "5"
2085
2086# The number of login retries allowed within a 24 hour period. A successful
2087# login from the IP address will clear the failures
2088#
2089# For security reasons, you should always keep this option low (i.e 0-10)
2090UI_RETRY = "5"
2091
2092# If enabled, this option will add the connecting IP address to the file
2093# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
2094# able to login to the UI while it is listed in this file. The UI_BAN setting
2095# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
2096# csf.ignore, etc.
2097#
2098# For security reasons, you should always enable this option
2099UI_BAN = "1"
2100
2101# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will
2102# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of
2103# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.
2104#
2105# For security reasons, you should always enable this option and use ui.allow
2106UI_ALLOW = "1"
2107
2108# If enabled, this option will trigger an iptables block through csf after
2109# UI_RETRY login failures
2110#
2111# 0 = no block;1 = perm block;nn=temp block for nn secs
2112UI_BLOCK = "1"
2113
2114# This controls what email alerts are sent with regards to logins to the UI. It
2115# uses the uialert.txt template
2116#
2117# 4 = login success + login failure/ban/block + login attempts
2118# 3 = login success + login failure/ban/block
2119# 2 = login failure/ban/block
2120# 1 = login ban/block
2121# 0 = disabled
2122UI_ALERT = "4"
2123
2124# This is the SSL cipher list that the Integrated UI will negotiate from
2125UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"
2126
2127# This is the SSL protocol version used. See IO::Socket::SSL if you wish to
2128# change this and to understand the implications of changing it
2129UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"
2130
2131# If cxs is installed then enabling this option will provide a dropdown box to
2132# switch between applications
2133UI_CXS = "0"
2134
2135# There is a modified installation of ConfigServer Explorer (cse) provided with
2136# the csf distribution. If this option is enabled it will provide a dropdown
2137# box to switch between applications
2138UI_CSE = "0"
2139
2140###############################################################################
2141# SECTION:Messenger service
2142###############################################################################
2143# Messenger service. This feature allows the display of a message to a blocked
2144# connecting IP address to inform the user that they are blocked in the
2145# firewall. This can help when users get themselves blocked, e.g. due to
2146# multiple login failures. The service is provided by two daemons running on
2147# ports providing either an HTML or TEXT message
2148#
2149# This feature does not work on servers that do not have the iptables module
2150# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
2151# server admins should check with their VPS host provider that the iptables
2152# module is included
2153#
2154# For further information on features and limitations refer to the csf
2155# readme.txt
2156#
2157# Note: Run /etc/csf/csftest.pl to check whether this option will function on
2158# this server
2159#
2160# 1 to enable, 0 to disable
2161MESSENGER = "0"
2162
2163# Provide this service to temporary IP address blocks
2164MESSENGER_TEMP = "1"
2165
2166# Provide this service to permanent IP address blocks
2167MESSENGER_PERM = "1"
2168
2169# User account to run the service servers under. We recommend creating a
2170# specific non-priv, non-shell account for this purpose
2171#
2172# Note: When using MESSENGERV2, this account must NOT be a valid cPanel account
2173# it must be created manually as explained in the csf readme.txt
2174MESSENGER_USER = "csf"
2175
2176# This is the maximum concurrent connections allowed to each service server
2177MESSENGER_CHILDREN = "10"
2178
2179# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+
2180# under EA4.
2181#
2182# This uses the Apache http daemon to provide the web server functionality for
2183# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources
2184# that the lfd inbuilt service uses and overcomes the memory overhead of using
2185# the MESSENGER HTTPS service
2186#
2187# MESSENGER_CHILDREN does not apply to MESSENGER HTML and HTTPS when
2188# MESSENGERV2 is enabled
2189#
2190# For more information consult readme.txt before enabling this option
2191MESSENGERV2 = "0"
2192
2193# Set this to the port that will receive the HTTPS HTML message. You should
2194# configure this port to be >1023 and different from the TEXT and HTML port. Do
2195# NOT enable access to this port in TCP_IN. This option requires the perl
2196# module IO::Socket::SSL at a version level that supports SNI (1.83+).
2197# Additionally the version of openssl on the server must also support SNI
2198#
2199# The option uses existing SSL certificates on the server for each domain to
2200# maintain a secure connection without browser warnings. It uses SNI to choose
2201# the correct certificate to use for each client connection
2202#
2203# Warning: On some servers the amount of memory used by the HTTPS MESSENGER
2204# service can become significant depending on various factors associated with
2205# the use of IO::Socket::SSL including the number of domains and certificates
2206# served
2207MESSENGER_HTTPS = "8887"
2208
2209# This comma separated list are the HTTPS HTML ports that will be redirected
2210# for the blocked IP address. If you are using per application blocking
2211# (LF_TRIGGER) then only the relevant block port will be redirected to the
2212# messenger port
2213#
2214# Recommended setting "443" plus any end-user control panel SSL ports. So, for
2215# cPanel: "443,2083,2096"
2216MESSENGER_HTTPS_IN = ""
2217
2218# This option points to the file(s) containing the Apache VirtualHost SSL
2219# definitions. This can be a file glob if there are multiple files to search.
2220# Only Apache v2 SSL VirtualHost definitions are supported
2221MESSENGER_HTTPS_CONF = "/usr/local/apache/conf/httpd.conf"
2222
2223# This options ignores ServerAlias definitions that begin with "mail.". This
2224# can help reduce memory usage on systems that do not require the use of
2225# MESSENGER_HTTPS on those subdomains
2226#
2227# Set to 0 to include these ServerAlias definitions
2228MESSENGER_HTTPS_SKIPMAIL = "1"
2229
2230# The following options can be specified to provide a default fallback
2231# certificate to be used if either SNI is not supported or a hosted domain does
2232# not have an SSL certificate. If a fallback is not provided, one of the certs
2233# obtained from MESSENGER_HTTPS_CONF will be used
2234MESSENGER_HTTPS_KEY = "/var/cpanel/ssl/cpanel/mycpanel.pem"
2235MESSENGER_HTTPS_CRT = "/var/cpanel/ssl/cpanel/mycpanel.pem"
2236
2237# Set this to the port that will receive the HTML message. You should configure
2238# this port to be >1023 and different from the TEXT port. Do NOT enable access
2239# to this port in TCP_IN
2240MESSENGER_HTML = "8888"
2241
2242# This comma separated list are the HTML ports that will be redirected for the
2243# blocked IP address. If you are using per application blocking (LF_TRIGGER)
2244# then only the relevant block port will be redirected to the messenger port
2245MESSENGER_HTML_IN = "80,2082,2095"
2246
2247# Set this to the port that will receive the TEXT message. You should configure
2248# this port to be >1023 and different from the HTML port. Do NOT enable access
2249# to this port in TCP_IN
2250MESSENGER_TEXT = "8889"
2251
2252# This comma separated list are the TEXT ports that will be redirected for the
2253# blocked IP address. If you are using per application blocking (LF_TRIGGER)
2254# then only the relevant block port will be redirected to the messenger port
2255MESSENGER_TEXT_IN = "21"
2256
2257# These settings limit the rate at which connections can be made to the
2258# messenger service servers. Its intention is to provide protection from
2259# attacks or excessive connections to the servers. If the rate is exceeded then
2260# iptables will revert for the duration to the normal blocking activity
2261#
2262# See the iptables man page for the correct --limit rate syntax
2263MESSENGER_RATE = "100/s"
2264MESSENGER_BURST = "150"
2265
2266# The RECAPTCHA options provide a way for end-users that have blocked
2267# themselves in the firewall to unblock themselves.
2268#
2269# A valid Google ReCAPTCHA (v2) key set is required for this feature from:
2270# https://www.google.com/recaptcha/intro/index.html
2271#
2272# When configuring a new reCAPTCHA API key set you must ensure that the option
2273# for "Domain Name Validation" is unticked so that the same reCAPTCHA can be
2274# used for all domains hosted on the server. lfd then checks that the hostname
2275# of the request resolves to an IP on this server
2276#
2277# This feature requires the installation of the LWP::UserAgent perl module (see
2278# option URLGET for more details)
2279#
2280# The template used for this feature is /etc/csf/messenger/index.recaptcha.html
2281#
2282# Note: An unblock will fail if the end-users IP is located in a netblock,
2283# blocklist or CC_* deny entry
2284RECAPTCHA_SITEKEY = ""
2285RECAPTCHA_SECRET = ""
2286
2287# Send an email when an IP address successfully attempts to unblock themselves.
2288# This does not necessarily mean the IP was unblocked, only that the
2289# post-recaptcha unblock request was attempted
2290#
2291# Set to "0" to disable
2292RECAPTCHA_ALERT = "1"
2293
2294# If the server uses NAT then resolving the hostname to hosted IPs will likely
2295# not succeed. In that case, the external IP addresses must be listed as comma
2296# separated comma separated list here
2297RECAPTCHA_NAT = ""
2298
2299###############################################################################
2300# SECTION:lfd Clustering
2301###############################################################################
2302# lfd Clustering. This allows the configuration of an lfd cluster environment
2303# where a group of servers can share blocks and configuration option changes.
2304# Included are CLI and UI options to send requests to the cluster.
2305#
2306# See the readme.txt file for more information and details on setup and
2307# security risks.
2308#
2309# Comma separated list of cluster member IP addresses to send requests to
2310CLUSTER_SENDTO = ""
2311
2312# Comma separated list of cluster member IP addresses to receive requests from
2313CLUSTER_RECVFROM = ""
2314
2315# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG
2316# changes
2317CLUSTER_MASTER = ""
2318
2319# If this is a NAT server, set this to the public IP address of this server
2320CLUSTER_NAT = ""
2321
2322# If a cluster member should send requests on an IP other than the default IP,
2323# set it here
2324CLUSTER_LOCALADDR = ""
2325
2326# Cluster communication port (must be the same on all member servers). There
2327# is no need to open this port in the firewall as csf will automatically add
2328# in and out bound rules to allow communication between cluster members
2329CLUSTER_PORT = "7777"
2330
2331# This is a secret key used to encrypt cluster communications using the
2332# Blowfish algorithm. It should be between 8 and 56 characters long,
2333# preferably > 20 random characters
2334# 56 chars: 01234567890123456789012345678901234567890123456789012345
2335CLUSTER_KEY = ""
2336
2337# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those
2338# servers must have this servers IP address listed in their CLUSTER_RECVFROM
2339#
2340# Set to 0 to disable this feature
2341CLUSTER_BLOCK = "1"
2342
2343# This option allows the enabling and disabling of the Cluster configuration
2344# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the
2345# CLUSTER_MASTER server
2346#
2347# Set this option to 1 to allow Cluster configurations to be received
2348CLUSTER_CONFIG = "0"
2349
2350# Maximum number of child processes to listen on. High blocking rates or large
2351# clusters may need to increase this
2352CLUSTER_CHILDREN = "10"
2353
2354###############################################################################
2355# SECTION:Port Knocking
2356###############################################################################
2357# Port Knocking. This feature allows port knocking to be enabled on multiple
2358# ports with a variable number of knocked ports and a timeout. There must be a
2359# minimum of 3 ports to knock for an entry to be valid
2360#
2361# See the following for information regarding Port Knocking:
2362# http://www.portknocking.org/
2363#
2364# This feature does not work on servers that do not have the iptables module
2365# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
2366# server admins should check with their VPS host provider that the iptables
2367# module is included
2368#
2369# For further information and syntax refer to the Port Knocking section of the
2370# csf readme.txt
2371#
2372# Note: Run /etc/csf/csftest.pl to check whether this option will function on
2373# this server
2374#
2375# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...
2376# e.g.: 22;TCP;20;100;200;300;400
2377PORTKNOCKING = ""
2378
2379# Enable PORTKNOCKING logging by iptables
2380PORTKNOCKING_LOG = "1"
2381
2382# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
2383# also be enabled to use this option
2384#
2385# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
2386# this file about RESTRICT_SYSLOG before enabling this option:
2387PORTKNOCKING_ALERT = "0"
2388
2389###############################################################################
2390# SECTION:Log Scanner
2391###############################################################################
2392# Log Scanner. This feature will send out an email summary of the log lines of
2393# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
2394# they match a regular expression in /etc/csf/csf.logignore
2395#
2396# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
2397# be aware that the more files lfd has to track, the greater the performance
2398# hit. Note: File globs are only evaluated when lfd is started
2399#
2400# Note: lfd builds the report continuously from lines logged after lfd has
2401# started, so any lines logged when lfd is not running will not be reported
2402# (e.g. during reboot). If lfd is restarted, then the report will include any
2403# lines logged during the previous lfd logging period that weren't reported
2404#
2405# 1 to enable, 0 to disable
2406LOGSCANNER = "0"
2407
2408# This is the interval each report will be sent based on the logalert.txt
2409# template
2410#
2411# The interval can be set to:
2412# "hourly" - sent on the hour
2413# "daily" - sent at midnight (00:00)
2414# "manual" - sent whenever "csf --logrun" is run. This allows for scheduling
2415# via cron job
2416LOGSCANNER_INTERVAL = "hourly"
2417
2418# Report Style
2419# 1 = Separate chronological log lines per log file
2420# 2 = Simply chronological log of all lines
2421LOGSCANNER_STYLE = "1"
2422
2423# Send the report email even if no log lines reported
2424# 1 to enable, 0 to disable
2425LOGSCANNER_EMPTY = "1"
2426
2427# Maximum number of lines in the report before it is truncated. This is to
2428# prevent log lines flooding resulting in an excessively large report. This
2429# might need to be increased if you choose a daily report
2430LOGSCANNER_LINES = "5000"
2431
2432###############################################################################
2433# SECTION:Statistics Settings
2434###############################################################################
2435# Statistics
2436#
2437# Some of the Statistics output requires the gd graphics library and the
2438# GD::Graph perl module with all dependent modules to be installed for the UI
2439# for them to be displayed
2440#
2441# This option enabled statistical data gathering
2442ST_ENABLE = "1"
2443
2444# This option determines how many iptables log lines to store for reports
2445ST_IPTABLES = "100"
2446
2447# This option indicates whether rDNS and CC lookups are performed at the time
2448# the log line is recorded (this is not performed when viewing the reports)
2449#
2450# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
2451# then enabling this setting could cause serious performance problems
2452ST_LOOKUP = "0"
2453
2454# This option will gather basic system statstics. Through the UI it displays
2455# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
2456# . Hourly (per minute)
2457# . 24 hours (per minute)
2458# . 7 days (per minute averaged over an hour)
2459# . 30 days (per minute averaged over an hour) - user definable
2460# The data is stored in /var/lib/csf/stats/system and the option requires the
2461# perl GD::Graph module
2462#
2463# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
2464# those systems do not store the required information in /proc/diskstats
2465# On new installations or when enabling this option it will take time for these
2466# graphs to be populated
2467ST_SYSTEM = "1"
2468
2469# Set the maximum days to collect statistics for. The default is 30 days, the
2470# more data that is collected the longer it will take for each of the graphs to
2471# be generated
2472ST_SYSTEM_MAXDAYS = "30"
2473
2474# If ST_SYSTEM is enabled, then these options can collect MySQL statistical
2475# data. To use this option the server must have the perl modules DBI and
2476# DBD::mysql installed.
2477#
2478# Set this option to "0" to disable MySQL data collection
2479ST_MYSQL = "0"
2480
2481# The following options are for authentication for MySQL data collection. If
2482# the password is left blank and the user set to "root" then the procedure will
2483# look for authentication data in /root/.my.cnf. Otherwise, you will need to
2484# provide a MySQL username and password to collect the data. Any MySQL user
2485# account can be used
2486ST_MYSQL_USER = "root"
2487ST_MYSQL_PASS = ""
2488ST_MYSQL_HOST = "localhost"
2489
2490# If ST_SYSTEM is enabled, then this option can collect Apache statistical data
2491# The value for PT_APACHESTATUS must be correctly set
2492ST_APACHE = "0"
2493
2494# The following options measure disk write performance using dd (location set
2495# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and
2496# the statistics will plot the MB/s response time of the disk. As this is an IO
2497# intensive operation, it may not be prudent to run this test too often, so by
2498# default it is only run every 5 minutes and the result duplicated for each
2499# intervening minute for the statistics
2500#
2501# This is not necessrily a good measure of disk performance, primarily because
2502# the measurements are for relatively small amounts of data over a small amount
2503# of time. To properly test disk performance there are a variety of tools
2504# available that should be run for extended periods of time to obtain an
2505# accurate measurement. This metric is provided to give an idea of how the disk
2506# is performing over time
2507#
2508# Note: There is a 15 second timeout performing the check
2509#
2510# Set to 0 to disable, 1 to enable
2511ST_DISKW = "0"
2512
2513# The number of minutes that elapse between tests. Default is 5, minimum is 1.
2514ST_DISKW_FREQ = "5"
2515
2516# This is the command line passed to dd. If you are familiar with dd, or wish
2517# to move the output file (of) to a different disk, then you can alter this
2518# command. Take great care when making any changes to this command as it is
2519# very easy to overwrite a disk using dd if you make a mistake
2520ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync"
2521
2522###############################################################################
2523# SECTION:Docker Settings
2524###############################################################################
2525# NOTE: This feature is currently in BETA testing, so may not work correctly
2526#
2527# This section provides the configuration of iptables rules to allow Docker
2528# containers to communicate through the host. If the generated rules do not
2529# work with your setup you will have to use a /etc/csf/csfpost.sh file and add
2530# your own iptables configuration instead
2531#
2532# 1 to enable, 0 to disable
2533DOCKER = "0"
2534
2535# The network device on the host
2536DOCKER_DEVICE = "docker0"
2537
2538# Docker container IPv4 range
2539DOCKER_NETWORK4 = "172.17.0.0/16"
2540
2541# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table
2542# available (see IPv6 section). Leave blank to disable
2543DOCKER_NETWORK6 = "2001:db8:1::/64"
2544
2545###############################################################################
2546# SECTION:OS Specific Settings
2547###############################################################################
2548# Binary locations
2549IPTABLES = "/sbin/iptables"
2550IPTABLES_SAVE = "/sbin/iptables-save"
2551IPTABLES_RESTORE = "/sbin/iptables-restore"
2552IP6TABLES = "/sbin/ip6tables"
2553IP6TABLES_SAVE = "/sbin/ip6tables-save"
2554IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
2555MODPROBE = "/sbin/modprobe"
2556IFCONFIG = "/sbin/ifconfig"
2557SENDMAIL = "/usr/sbin/sendmail"
2558PS = "/bin/ps"
2559VMSTAT = "/usr/bin/vmstat"
2560NETSTAT = "/bin/netstat"
2561LS = "/bin/ls"
2562MD5SUM = "/usr/bin/md5sum"
2563TAR = "/bin/tar"
2564CHATTR = "/usr/bin/chattr"
2565UNZIP = "/usr/bin/unzip"
2566GUNZIP = "/bin/gunzip"
2567DD = "/bin/dd"
2568TAIL = "/usr/bin/tail"
2569GREP = "/bin/grep"
2570ZGREP = "/usr/bin/zgrep"
2571IPSET = "/usr/sbin/ipset"
2572SYSTEMCTL = "/usr/bin/systemctl"
2573HOST = "/usr/bin/host"
2574IP = "/sbin/ip"
2575
2576# Log file locations
2577#
2578# File globbing is allowed for the following logs. However, be aware that the
2579# more files lfd has to track, the greater the performance hit
2580#
2581# Note: File globs are only evaluated when lfd is started
2582#
2583HTACCESS_LOG = "/usr/local/apache/logs/error_log"
2584MODSEC_LOG = "/usr/local/apache/logs/error_log"
2585SSHD_LOG = "/var/log/secure"
2586SU_LOG = "/var/log/secure"
2587FTPD_LOG = "/var/log/messages"
2588SMTPAUTH_LOG = "/var/log/exim_mainlog"
2589SMTPRELAY_LOG = "/var/log/exim_mainlog"
2590POP3D_LOG = "/var/log/maillog"
2591IMAPD_LOG = "/var/log/maillog"
2592CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
2593CPANEL_ACCESSLOG = "/usr/local/cpanel/logs/access_log"
2594SCRIPT_LOG = "/var/log/exim_mainlog"
2595IPTABLES_LOG = "/var/log/messages"
2596SUHOSIN_LOG = "/var/log/messages"
2597BIND_LOG = "/var/log/messages"
2598SYSLOG_LOG = "/var/log/messages"
2599WEBMIN_LOG = "/var/log/secure"
2600
2601CUSTOM1_LOG = "/var/log/customlog"
2602CUSTOM2_LOG = "/var/log/customlog"
2603CUSTOM3_LOG = "/var/log/customlog"
2604CUSTOM4_LOG = "/var/log/customlog"
2605CUSTOM5_LOG = "/var/log/customlog"
2606CUSTOM6_LOG = "/var/log/customlog"
2607CUSTOM7_LOG = "/var/log/customlog"
2608CUSTOM8_LOG = "/var/log/customlog"
2609CUSTOM9_LOG = "/var/log/customlog"
2610
2611# The following are comma separated lists used if LF_SELECT is enabled,
2612# otherwise they are not used. They are derived from the application returned
2613# from a regex match in /usr/local/csf/bin/regex.pm
2614#
2615# All ports default to tcp blocks. To specify udp or tcp use the format:
2616# port;protocol,port;protocol,... For example, "53;udp,53;tcp"
2617PORTS_pop3d = "110,995"
2618PORTS_imapd = "143,993"
2619PORTS_htpasswd = "80,443"
2620PORTS_mod_security = "80,443"
2621PORTS_mod_qos = "80,443"
2622PORTS_symlink = "80,443"
2623PORTS_suhosin = "80,443"
2624PORTS_cxs = "80,443"
2625PORTS_bind = "53;udp,53;tcp"
2626PORTS_ftpd = "20,21"
2627PORTS_webmin = "10000"
2628PORTS_cpanel = "2077,2078,2082,2083,2086,2087,2095,2096"
2629# This list is extended, if present, by the ports defined by
2630# /etc/chkservd/exim-*
2631PORTS_smtpauth = "25,465,587"
2632PORTS_eximsyntax = "25,465,587"
2633# This list is replaced, if present, by "Port" definitions in
2634# /etc/ssh/sshd_config
2635PORTS_sshd = "22"
2636
2637# For internal use only. You should not enable this option as it could cause
2638# instability in csf and lfd
2639DEBUG = "0"
2640###############################################################################