· 7 years ago · Dec 21, 2018, 09:58 PM
1###############################################################################
2# SECTION:Initial Settings
3###############################################################################
4# Testing flag - enables a CRON job that clears iptables incase of
5# configuration problems when you start csf. This should be enabled until you
6# are sure that the firewall works - i.e. incase you get locked out of your
7# server! Then do remember to set it to 0 and restart csf when you're sure
8# everything is OK. Stopping csf will remove the line from /etc/crontab
9#
10# lfd will not start while this is enabled
11TESTING = "0"
12
13# The interval for the crontab in minutes. Since this uses the system clock the
14# CRON job will run at the interval past the hour and not from when you issue
15# the start command. Therefore an interval of 5 minutes means the firewall
16# will be cleared in 0-5 minutes from the firewall start
17TESTING_INTERVAL = "5"
18
19# SECURITY WARNING
20# ================
21#
22# Unfortunately, syslog and rsyslog allow end-users to log messages to some
23# system logs via the same unix socket that other local services use. This
24# means that any log line shown in these system logs that syslog or rsyslog
25# maintain can be spoofed (they are exactly the same as real log lines).
26#
27# Since some of the features of lfd rely on such log lines, spoofed messages
28# can cause false-positive matches which can lead to confusion at best, or
29# blocking of any innocent IP address or making the server inaccessible at
30# worst.
31#
32# Any option that relies on the log entries in the files listed in
33# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
34# vulnerable to exploitation by end-users and scripts run by end-users.
35#
36# NOTE: Not all log files are affected as they may not use syslog/rsyslog
37#
38# The option RESTRICT_SYSLOG disables all these features that rely on affected
39# logs. These options are:
40# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
41# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
42# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
43# PORTKNOCKING_ALERT
44#
45# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
46# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
47#
48# The following options are still enabled by default on new installations so
49# that, on balance, csf/lfd still provides expected levels of security:
50# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
51#
52# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
53# above, it should be done with the knowledge that any of the those options
54# that are enabled could be triggered by spoofed log lines and lead to the
55# server being inaccessible in the worst case. If you do not want to take that
56# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
57# but you will not be protected from the exploits that they normally help block
58#
59# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
60# the syslog/rsyslog unix socket.
61#
62# For further advice on how to help mitigate these issues, see
63# /etc/csf/readme.txt
64#
65# 0 = Allow those options listed above to be used and configured
66# 1 = Disable all the options listed above and prevent them from being used
67# 2 = Disable only alerts about this feature and do nothing else
68# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
69RESTRICT_SYSLOG = "3"
70
71# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
72# write access to the syslog/rsyslog unix socket(s). The group must not already
73# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
74# to a unique name for the server
75#
76# You can add users to this group by changing /etc/csf/csf.syslogusers and then
77# restarting lfd afterwards. This will create the system group and add the
78# users from csf.syslogusers if they exist to that group and will change the
79# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
80# monitored and the permissions re-applied should syslog/rsyslog be restarted
81#
82# Using this option will prevent some legitimate logging, e.g. end-user cron
83# job logs
84#
85# If you want to revert RESTRICT_SYSLOG to another option and disable this
86# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
87# syslog/rsyslog and the unix sockets will be reset
88RESTRICT_SYSLOG_GROUP = "mysyslog"
89
90# This options restricts the ability to modify settings within this file from
91# the csf UI. Should the parent control panel be compromised, these restricted
92# options could be used to further compromise the server. For this reason we
93# recommend leaving this option set to at least "1" and if any of the
94# restricted items need to be changed, they are done so from the root shell
95#
96# 0 = Unrestricted UI
97# 1 = Restricted UI
98# 2 = Disabled UI
99RESTRICT_UI = "1"
100
101# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
102# runs once per day to see if there is an update to csf+lfd and upgrades if
103# available and restarts csf and lfd
104#
105# You should check for new version announcements at http://blog.configserver.com
106AUTO_UPDATES = "1"
107
108###############################################################################
109# SECTION:IPv4 Port Settings
110###############################################################################
111# Lists of ports in the following comma separated lists can be added using a
112# colon (e.g. 30000:35000).
113
114# Some kernel/iptables setups do not perform stateful connection tracking
115# correctly (typically some virtual servers or custom compiled kernels), so a
116# SPI firewall will not function correctly. If this happens, LF_SPI can be set
117# to 0 to reconfigure csf as a static firewall.
118#
119# As connection tracking will not be configured, applications that rely on it
120# will not function unless all outgoing ports are opened. Therefore, all
121# outgoing connections will be allowed once all other tests have completed. So
122# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
123#
124# If you allow incoming DNS lookups you may need to use the following
125# directive in the options{} section of your named.conf:
126#
127# query-source port 53;
128#
129# This will force incoming DNS traffic only through port 53
130#
131# Disabling this option will break firewall functionality that relies on
132# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
133# less secure
134#
135# This option should be set to "1" in all other circumstances
136LF_SPI = "1"
137
138# Allow incoming TCP ports
139#TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096"
140TCP_IN = "0:65535"
141
142# Allow outgoing TCP ports
143#TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"
144TCP_OUT = "0:65535"
145
146# Allow incoming UDP ports
147#UDP_IN = "20,21,53"
148UDP_IN = "0:65535"
149
150# Allow outgoing UDP ports
151# To allow outgoing traceroute add 33434:33523 to this list
152#UDP_OUT = "20,21,53,113,123,873,6277,24441"
153UDP_OUT = "0:65535"
154
155# Allow incoming PING. Disabling PING will likely break external uptime
156# monitoring
157ICMP_IN = "0"
158
159# Set the per IP address incoming ICMP packet rate for PING requests. This
160# ratelimits PING requests which if exceeded results in silently rejected
161# packets. Disable or increase this value if you are seeing PING drops that you
162# do not want
163#
164# To disable rate limiting set to "0", otherwise set according to the iptables
165# documentation for the limit module. For example, "1/s" will limit to one
166# packet per second
167ICMP_IN_RATE = "0"
168
169# Allow outgoing PING
170#
171# Unless there is a specific reason, this option should NOT be disabled as it
172# could break OS functionality
173ICMP_OUT = "1"
174
175# Set the per IP address outgoing ICMP packet rate for PING requests. This
176# ratelimits PING requests which if exceeded results in silently rejected
177# packets. Disable or increase this value if you are seeing PING drops that you
178# do not want
179#
180# Unless there is a specific reason, this option should NOT be enabled as it
181# could break OS functionality
182#
183# To disable rate limiting set to "0", otherwise set according to the iptables
184# documentation for the limit module. For example, "1/s" will limit to one
185# packet per second
186ICMP_OUT_RATE = "0"
187
188# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
189# should be dropped, you can enable the following option. Otherwise, there
190# appears to be little evidence that it has anything to do with a security risk
191# and can impact network performance, so should be left disabled by everyone
192# else
193ICMP_TIMESTAMPDROP = "0"
194
195###############################################################################
196# SECTION:IPv6 Port Settings
197###############################################################################
198# IPv6: (Requires ip6tables)
199#
200# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
201# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
202#
203# Supported:
204# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
205# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS,
206# SYNFLOOD, LF_NETBLOCK
207#
208# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
209# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
210# CC_ALLOW_SMTPAUTH
211#
212# Supported if ip6tables >= 1.4.3:
213# PORTFLOOD, CONNLIMIT
214#
215# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
216# installed:
217# MESSENGER DOCKER SMTP_REDIRECT
218#
219# Not supported:
220# ICMP_IN, ICMP_OUT
221#
222IPV6 = "1"
223
224# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
225# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
226# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
227# connection types
228IPV6_ICMP_STRICT = "0"
229
230# Pre v2.6.20 kernel must set this option to "0" as no working state module is
231# present, so a static firewall is configured as a fallback
232#
233# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
234# not support IPv6 connection tracking by opening ephemeral port range
235# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
236# same workaround implemented by RedHat in the sample default IPv6 rules
237#
238# As connection tracking will not be configured, applications that rely on it
239# will not function unless all outgoing ports are opened. Therefore, all
240# outgoing connections will be allowed once all other tests have completed. So
241# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
242#
243# If you allow incoming ipv6 DNS lookups you may need to use the following
244# directive in the options{} section of your named.conf:
245#
246# query-source-v6 port 53;
247#
248# This will force ipv6 incoming DNS traffic only through port 53
249#
250# These changes are not necessary if the SPI firewall is used
251IPV6_SPI = "1"
252
253# Allow incoming IPv6 TCP ports
254TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096"
255
256# Allow outgoing IPv6 TCP ports
257TCP6_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703"
258
259# Allow incoming IPv6 UDP ports
260UDP6_IN = "20,21,53"
261
262# Allow outgoing IPv6 UDP ports
263# To allow outgoing traceroute add 33434:33523 to this list
264UDP6_OUT = "20,21,53,113,123,873,6277,24441"
265
266###############################################################################
267# SECTION:General Settings
268###############################################################################
269# By default, csf will auto-configure iptables to filter all traffic except on
270# the loopback device. If you only want iptables rules applied to a specific
271# NIC, then list it here (e.g. eth1, or eth+)
272ETH_DEVICE = ""
273
274# By adding a device to this option, ip6tables can be configured only on the
275# specified device. Otherwise, ETH_DEVICE and then the default setting will be
276# used
277ETH6_DEVICE = ""
278
279# If you don't want iptables rules applied to specific NICs, then list them in
280# a comma separated list (e.g "eth1,eth2")
281ETH_DEVICE_SKIP = ""
282
283# This option should be enabled unless the kernel does not support the
284# "conntrack" module
285#
286# To use the deprecated iptables "state" module, change this to 0
287USE_CONNTRACK = "1"
288
289# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
290# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
291# This will also remove the RELATED target from the global state iptables rule
292#
293# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
294# the raw tables do not exist. The USE_CONNTRACK option should be enabled
295#
296# To enable this option, set it to your FTP server listening port number
297# (normally 21), do NOT set it to "1"
298USE_FTPHELPER = "0"
299
300# Check whether syslog is running. Many of the lfd checks require syslog to be
301# running correctly. This test will send a coded message to syslog every
302# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
303# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
304# syslogalert.txt is sent
305#
306# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
307SYSLOG_CHECK = "0"
308
309# Enable this option if you do not wish to block all IP's that have
310# authenticated using POP before SMTP (i.e. are valid clients). This option
311# checks for IP addresses in /etc/relayhosts, which last for 30 minutes in that
312# file after a successful POP authentication.
313#
314# Set the value to 0 to disable the feature
315RELAYHOSTS = "0"
316
317# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
318# listed in csf.allow in addition to csf.ignore (the default). This option
319# should be used with caution as it would mean that IP's allowed through the
320# firewall from infected PC's could launch attacks on the server that lfd
321# would ignore
322IGNORE_ALLOW = "0"
323
324# Enable the following option if you want to apply strict iptables rules to DNS
325# traffic (i.e. relying on iptables connection tracking). Enabling this option
326# could cause DNS resolution issues both to and from the server but could help
327# prevent abuse of the local DNS server
328DNS_STRICT = "0"
329
330# Enable the following option if you want to apply strict iptables rules to DNS
331# traffic between the server and the nameservers listed in /etc/resolv.conf
332# Enabling this option could cause DNS resolution issues both to and from the
333# server but could help prevent abuse of the local DNS server
334DNS_STRICT_NS = "0"
335
336# Limit the number of IP's kept in the /etc/csf/csf.deny file
337#
338# Care should be taken when increasing this value on servers with low memory
339# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
340# thousands) can sometimes cause network slowdown
341#
342# The value set here is the maximum number of IPs/CIDRs allowed
343# if the limit is reached, the entries will be rotated so that the oldest
344# entries (i.e. the ones at the top) will be removed and the latest is added.
345# The limit is only checked when using csf -d (which is what lfd also uses)
346# Set to 0 to disable limiting
347#
348# For implementations wishing to set this value significantly higher, we
349# recommend using the IPSET option
350DENY_IP_LIMIT = "200"
351
352# Limit the number of IP's kept in the temprary IP ban list. If the limit is
353# reached the oldest IP's in the ban list will be removed and allowed
354# regardless of the amount of time remaining for the block
355# Set to 0 to disable limiting
356DENY_TEMP_IP_LIMIT = "100"
357
358# Enable login failure detection daemon (lfd). If set to 0 none of the
359# following settings will have any effect as the daemon won't start.
360LF_DAEMON = "1"
361
362# Check whether csf appears to have been stopped and restart if necessary,
363# unless TESTING is enabled above. The check is done every 300 seconds
364LF_CSF = "1"
365
366# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
367# IP6TABLES_RESTORE in two ways:
368#
369# 1. On a clean server reboot the entire csf iptables configuration is saved
370# and then restored where possible to provide a near instant firewall
371# startup[*]
372#
373# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
374# BOGON, TOR are loaded using this method in a fraction of the time than if
375# this setting is disabled
376#
377# [*]Not supported on all OS platforms
378#
379# Set to "0" to disable this functionality
380FASTSTART = "1"
381
382# This option allows you to use ipset v6+ for the following csf options:
383# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
384# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
385#
386# ipset will only be used with the above options when listing IPs and CIDRs.
387# Advanced Allow Filters and temporary blocks use traditional iptables
388#
389# Using ipset moves the onus of ip matching against large lists away from
390# iptables rules and to a purpose built and optimised database matching
391# utility. It also simplifies the switching in of updated lists
392#
393# To use this option you must have a fully functioning installation of ipset
394# installed either via rpm or source from http://ipset.netfilter.org/
395#
396# Note: Using ipset has many advantages, some disadvantages are that you will
397# no longer see packet and byte counts against IPs and it makes identifying
398# blocked/allowed IPs that little bit harder
399#
400# Note: If you mainly use IP address only entries in csf.deny, you can increase
401# the value of DENY_IP_LIMIT significantly if you wish
402#
403# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
404# containers even if it has been installed
405#
406# If you find any problems, please post on forums.configserver.com with full
407# details of the issue
408LF_IPSET = "0"
409
410# Versions of iptables greater or equal to v1.4.20 should support the --wait
411# option. This forces iptables commands that use the option to wait until a
412# lock by any other process using iptables completes, rather than simply
413# failing
414#
415# Enabling this feature will add the --wait option to iptables commands
416#
417# NOTE: The disadvantage of using this option is that any iptables command that
418# uses it will hang until the lock is released. This could cause a cascade of
419# hung processes trying to issue iptables commands. To try and avoid this issue
420# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
421# a failure if reached
422WAITLOCK = "0"
423WAITLOCK_TIMEOUT = "300"
424
425# The following sets the hashsize for ipset sets, which must be a power of 2.
426#
427# Note: Increasing this value will consume more memory for all sets
428# Default: "1024"
429LF_IPSET_HASHSIZE = "1024"
430
431# The following sets the maxelem for ipset sets.
432#
433# Note: Increasing this value will consume more memory for all sets
434# Default: "65536"
435LF_IPSET_MAXELEM = "65536"
436
437# If you enable this option then whenever a CLI request to restart csf is used
438# lfd will restart csf instead within LF_PARSE seconds
439#
440# This feature can be helpful for restarting configurations that cannot use
441# FASTSTART
442LFDSTART = "0"
443
444# Enable verbose output of iptables commands
445VERBOSE = "1"
446
447# Drop out of order packets and packets in an INVALID state in iptables
448# connection tracking
449PACKET_FILTER = "1"
450
451# Perform reverse DNS lookups on IP addresses. See also CC_LOOKUPS
452LF_LOOKUPS = "1"
453
454# Custom styling is possible in the csf UI. See the readme.txt for more
455# information under "UI skinning and Mobile View"
456#
457# This option enables the use of custom styling. If the styling fails to work
458# correctly, e.g. custom styling does not take into account a change in the
459# standard csf UI, then disabling this option will return the standard UI
460STYLE_CUSTOM = "0"
461
462# This option disables the presence of the Mobile View in the csf UI
463STYLE_MOBILE = "1"
464
465###############################################################################
466# SECTION:SMTP Settings
467###############################################################################
468# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
469# to use the exim/sendmail binary instead of sockets access). This replaces the
470# protection as WHM > Tweak Settings > SMTP Tweaks
471#
472# This option uses the iptables ipt_owner/xt_owner module and must be loaded
473# for it to work. It may not be available on some VPS platforms
474#
475# Note: Run /etc/csf/csftest.pl to check whether this option will function on
476# this server
477SMTP_BLOCK = "0"
478
479# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
480# on the server (e.g. for webmail or web scripts) then enable this option to
481# allow outgoing SMTP connections to the loopback device
482SMTP_ALLOWLOCAL = "1"
483
484# This option redirects outgoing SMTP connections destined for remote servers
485# for non-bypass users to the local SMTP server to force local relaying of
486# email. Such email may require authentication (SMTP AUTH)
487SMTP_REDIRECT = "0"
488
489# This is a comma separated list of the ports to block. You should list all
490# ports that exim is configured to listen on
491SMTP_PORTS = "25,465,587"
492
493# Always allow the following comma separated users and groups to bypass
494# SMTP_BLOCK
495#
496# Note: root (UID:0) is always allowed
497SMTP_ALLOWUSER = "cpanel"
498SMTP_ALLOWGROUP = "mail,mailman"
499
500# This option will only allow SMTP AUTH to be advertised to the IP addresses
501# listed in /etc/csf/csf.smtpauth on EXIM mail servers
502#
503# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
504# additionally restrict access to specific countries
505#
506# This is to help limit attempts at distributed attacks against SMTP AUTH which
507# are difficult to achieve since port 25 needs to be open to relay email
508#
509# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
510# connection, then SMTP AUTH will not accept logins, defeating the attacks
511# without restricting mail relaying
512#
513# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
514# that the lookup file in /etc/exim.smtpauth is regenerated from the
515# information from /etc/csf/csf.smtpauth plus any countries listed in
516# CC_ALLOW_SMTPAUTH
517#
518# NOTE: To make this option work you MUST make the modifications to exim.conf
519# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
520# after enabling the option here, otherwise this option will not work
521#
522# To enable this option, set to 1 and make the exim configuration changes
523# To disable this option, set to 0 and undo the exim configuration changes
524SMTPAUTH_RESTRICT = "0"
525
526###############################################################################
527# SECTION:Port Flood Settings
528###############################################################################
529# Enable SYN Flood Protection. This option configures iptables to offer some
530# protection from tcp SYN packet DOS attempts. You should set the RATE so that
531# false-positives are kept to a minimum otherwise visitors may see connection
532# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
533# man page for the correct --limit rate syntax
534#
535# Note: This option should ONLY be enabled if you know you are under a SYN
536# flood attack as it will slow down all new connections from any IP address to
537# the server if triggered
538SYNFLOOD = "0"
539SYNFLOOD_RATE = "100/s"
540SYNFLOOD_BURST = "150"
541
542# Connection Limit Protection. This option configures iptables to offer more
543# protection from DOS attacks against specific ports. It can also be used as a
544# way to simply limit resource usage by IP address to specific server services.
545# This option limits the number of concurrent new connections per IP address
546# that can be made to specific ports
547#
548# This feature does not work on servers that do not have the iptables module
549# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
550# server admins should check with their VPS host provider that the iptables
551# module is included
552#
553# For further information and syntax refer to the Connection Limit Protection
554# section of the csf readme.txt
555#
556# Note: Run /etc/csf/csftest.pl to check whether this option will function on
557# this server
558CONNLIMIT = ""
559
560# Port Flood Protection. This option configures iptables to offer protection
561# from DOS attacks against specific ports. This option limits the number of
562# new connections per time interval that can be made to specific ports
563#
564# This feature does not work on servers that do not have the iptables module
565# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
566# server admins should check with their VPS host provider that the iptables
567# module is included
568#
569# For further information and syntax refer to the Port Flood Protection
570# section of the csf readme.txt
571#
572# Note: Run /etc/csf/csftest.pl to check whether this option will function on
573# this server
574PORTFLOOD = ""
575
576# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
577# These typically originate from exploit scripts uploaded through vulnerable
578# web scripts. Care should be taken on servers that use services that utilise
579# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
580# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
581#
582# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
583UDPFLOOD = "0"
584UDPFLOOD_LIMIT = "100/s"
585UDPFLOOD_BURST = "500"
586
587# This is a list of usernames that should not be rate limited, such as "named"
588# to prevent bind traffic from being limited.
589#
590# Note: root (UID:0) is always allowed
591UDPFLOOD_ALLOWUSER = "named"
592
593###############################################################################
594# SECTION:Logging Settings
595###############################################################################
596# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
597# perl module Sys::Syslog installed to use this feature
598SYSLOG = "0"
599
600# Drop target for incoming iptables rules. This can be set to either DROP or
601# REJECT. REJECT will send back an error packet, DROP will not respond at all.
602# REJECT is more polite, however it does provide extra information to a hacker
603# and lets them know that a firewall is blocking their attempts. DROP hangs
604# their connection, thereby frustrating attempts to port scan the server
605DROP = "DROP"
606
607# Drop target for outgoing iptables rules. This can be set to either DROP or
608# REJECT as with DROP, however as such connections are from this server it is
609# better to REJECT connections to closed ports rather than to DROP them. This
610# helps to immediately free up server resources rather than tying them up until
611# a connection times out. It also tells the process making the connection that
612# it has immediately failed
613#
614# It is possible that some monolithic kernels may not support the REJECT
615# target. If this is the case, csf checks before using REJECT and falls back to
616# using DROP, issuing a warning to set this to DROP instead
617DROP_OUT = "REJECT"
618
619# Enable logging of dropped connections to blocked ports to syslog, usually
620# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
621DROP_LOGGING = "1"
622
623# Enable logging of dropped incoming connections from blocked IP addresses
624#
625# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
626DROP_IP_LOGGING = "0"
627
628# Enable logging of dropped outgoing connections
629#
630# Note: Only outgoing SYN packets for TCP connections are logged, other
631# protocols log all packets
632#
633# We recommend that you enable this option
634DROP_OUT_LOGGING = "1"
635
636# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
637# out (where available) which can help track abuse
638DROP_UID_LOGGING = "1"
639
640# Only log incoming reserved port dropped connections (0:1023). This can reduce
641# the amount of log noise from dropped connections, but will affect options
642# such as Port Scan Tracking (PS_INTERVAL)
643DROP_ONLYRES = "0"
644
645# Commonly blocked ports that you do not want logging as they tend to just fill
646# up the log file. These ports are specifically blocked (applied to TCP and UDP
647# protocols) for incoming connections
648DROP_NOLOG = "23,67,68,111,113,135:139,445,500,513,520"
649
650# Log packets dropped by the packet filtering option PACKET_FILTER
651DROP_PF_LOGGING = "0"
652
653# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
654# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
655# addresses breaking the Connection Limit Protection will be blocked
656CONNLIMIT_LOGGING = "0"
657
658# Enable logging of UDP floods. This should be enabled, especially with User ID
659# Tracking enabled
660UDPFLOOD_LOGGING = "1"
661
662# Send an alert if log file flooding is detected which causes lfd to skip log
663# lines to prevent lfd from looping. If this alert is sent you should check the
664# reported log file for the reason for the flooding
665LOGFLOOD_ALERT = "0"
666
667###############################################################################
668# SECTION:Reporting Settings
669###############################################################################
670# By default, lfd will send alert emails using the relevant alert template to
671# the To: address configured within that template. Setting the following
672# option will override the configured To: field in all lfd alert emails
673#
674# Leave this option empty to use the To: field setting in each alert template
675LF_ALERT_TO = ""
676
677# By default, lfd will send alert emails using the relevant alert template from
678# the From: address configured within that template. Setting the following
679# option will override the configured From: field in all lfd alert emails
680#
681# Leave this option empty to use the From: field setting in each alert template
682LF_ALERT_FROM = ""
683
684# By default, lfd will send all alerts using the SENDMAIL binary. To send using
685# SMTP directly, you can set the following to a relaying SMTP server, e.g.
686# "127.0.0.1". Leave this setting blank to use SENDMAIL
687LF_ALERT_SMTP = ""
688
689# Block Reporting. lfd can run an external script when it performs and IP
690# address block following for example a login failure. The following setting
691# is to the full path of the external script which must be executable. See
692# readme.txt for format details
693#
694# Leave this setting blank to disable
695BLOCK_REPORT = ""
696
697# To also run an external script when a temporary block is unblocked: the
698# following setting can be the full path of the external script which must be
699# executable. See readme.txt for format details
700#
701# Leave this setting blank to disable
702UNBLOCK_REPORT = ""
703
704# In addition to the standard lfd email alerts, you can additionally enable the
705# sending of X-ARF reports (see http://www.x-arf.org/specification.html). Only
706# block alert messages will be sent. The reports use our schema at:
707# https://download.configserver.com/abuse_login-attack_0.2.json
708#
709# These reports are in a format accepted by many Netblock owners and should
710# help them investigate abuse. This option is not designed to automatically
711# forward these reports to the Netblock owners and should be checked for
712# false-positive blocks before reporting
713#
714# If available, the report will also include the abuse contact for the IP from
715# the Abusix Contact DB: https://abusix.com/contactdb.html
716#
717# Note: The following block types are not reported through this feature:
718# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
719X_ARF = "0"
720
721# By default, lfd will send emails from the root forwarder. Setting the
722# following option will override this
723X_ARF_FROM = ""
724
725# By default, lfd will send emails to the root forwarder. Setting the following
726# option will override this
727X_ARF_TO = ""
728
729# If you want to automatically send reports to the abuse contact where found,
730# you can enable the following option
731#
732# Note: You MUST set X_ARF_FROM to a valid email address for this option to
733# work. This is so that the abuse contact can reply to the report
734#
735# However, you should be aware that without manual checking you could be
736# reporting innocent IP addresses, including your own clients, yourself and
737# your own servers
738#
739# Additionally, just because a contact address is found, does not mean that
740# there is anyone on the end of it reading, processing or acting on such
741# reports and you could conceivably reported for sending spam
742#
743# We do not recommend enabling this option. Abuse reports should be checked and
744# verified before being forwarded to the abuse contact
745X_ARF_ABUSE = "0"
746
747###############################################################################
748# SECTION:Temp to Perm/Netblock Settings
749###############################################################################
750# Temporary to Permanent IP blocking. The following enables this feature to
751# permanently block IP addresses that have been temporarily blocked more than
752# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
753# LF_PERMBLOCK to "1" to enable this feature
754#
755# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
756# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
757# (TTL) for blocked IPs, to be effective
758#
759# Set LF_PERMBLOCK to "0" to disable this feature
760LF_PERMBLOCK = "1"
761LF_PERMBLOCK_INTERVAL = "86400"
762LF_PERMBLOCK_COUNT = "4"
763LF_PERMBLOCK_ALERT = "1"
764
765# Permanently block IPs by network class. The following enables this feature
766# to permanently block classes of IP address where individual IP addresses
767# within the same class LF_NETBLOCK_CLASS have already been blocked more than
768# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
769# LF_NETBLOCK to "1" to enable this feature
770#
771# This can be an affective way of blocking DDOS attacks launched from within
772# the same network class
773#
774# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
775# consideration is required when blocking network classes A or B
776#
777# Set LF_NETBLOCK to "0" to disable this feature
778LF_NETBLOCK = "0"
779LF_NETBLOCK_INTERVAL = "86400"
780LF_NETBLOCK_COUNT = "4"
781LF_NETBLOCK_CLASS = "C"
782LF_NETBLOCK_ALERT = "1"
783
784# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
785# Great care should be taken with IPV6 netblock ranges due to the large number
786# of addresses involved
787#
788# To disable IPv6 netblocks set to ""
789LF_NETBLOCK_IPV6 = ""
790
791###############################################################################
792# SECTION:Global Lists/DYNDNS/Blocklists
793###############################################################################
794# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
795# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
796# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
797# chain, then flush and delete the old dynamic chain and rename the new chain.
798#
799# This prevents a small window of opportunity opening when an update occurs and
800# the dynamic chain is flushed for the new rules.
801#
802# This option should not be enabled on servers with long dynamic chains (e.g.
803# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
804# Virtuozzo VPS servers with a restricted numiptent value. This is because each
805# chain will effectively be duplicated while the update occurs, doubling the
806# number of iptables rules
807SAFECHAINUPDATE = "0"
808
809# If you wish to allow access from dynamic DNS records (for example if your IP
810# address changes whenever you connect to the internet but you have a dedicated
811# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
812# records in csf.dyndns and then set the following to the number of seconds to
813# poll for a change in the IP address. If the IP address has changed iptables
814# will be updated.
815#
816# If the FQDN has multiple A records then all of the IP addresses will be
817# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
818# also be allowed.
819#
820# A setting of 600 would check for IP updates every 10 minutes. Set the value
821# to 0 to disable the feature
822DYNDNS = "0"
823
824# To always ignore DYNDNS IP addresses in lfd blocking, set the following
825# option to 1
826DYNDNS_IGNORE = "0"
827
828# The follow Global options allow you to specify a URL where csf can grab a
829# centralised copy of an IP allow or deny block list of your own. You need to
830# specify the full URL in the following options, i.e.:
831# http://www.somelocation.com/allow.txt
832#
833# The actual retrieval of these IP's is controlled by lfd, so you need to set
834# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
835# will perform the retrieval when it runs and then again at the specified
836# interval. A sensible interval would probably be every 3600 seconds (1 hour).
837# A minimum value of 300 is enforced for LF_GLOBAL if enabled
838#
839# You do not have to specify both an allow and a deny file
840#
841# You can also configure a global ignore file for IP's that lfd should ignore
842LF_GLOBAL = "0"
843
844GLOBAL_ALLOW = ""
845GLOBAL_DENY = ""
846GLOBAL_IGNORE = ""
847
848# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
849# this to the URL of the file containing DYNDNS entries
850GLOBAL_DYNDNS = ""
851
852# Set the following to the number of seconds to poll for a change in the IP
853# address resoved from GLOBAL_DYNDNS
854GLOBAL_DYNDNS_INTERVAL = "600"
855
856# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
857# option to 1
858GLOBAL_DYNDNS_IGNORE = "0"
859
860# Blocklists are controlled by modifying /etc/csf/csf.blocklists
861#
862# If you don't want BOGON rules applied to specific NICs, then list them in
863# a comma separated list (e.g "eth1,eth2")
864LF_BOGON_SKIP = ""
865
866# The following option can be used to select either HTTP::Tiny or
867# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
868# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
869# have to be installed manually, but it can better support https:// URL's
870# which also needs the LWP::Protocol::https perl module
871#
872# For example:
873#
874# On rpm based systems:
875#
876# yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
877#
878# On APT based systems:
879#
880# apt-get install libwww-perl liblwp-protocol-https-perl
881#
882# Via cpan:
883#
884# perl -MCPAN -eshell
885# cpan> install LWP LWP::Protocol::https
886#
887# We recommend setting this set to "2" as upgrades to csf will be performed
888# over SSL to https://download.configserver.com
889#
890# "1" = HTTP::Tiny
891# "2" = LWP::UserAgent
892URLGET = "2"
893
894###############################################################################
895# SECTION:Country Code Lists and Settings
896###############################################################################
897# Country Code to CIDR allow/deny. In the following two options you can allow
898# or deny whole country CIDR ranges. The CIDR blocks are generated from the
899# MaxMind GeoLite2 Country database at:
900# https://dev.MaxMind.com/geoip/geoip2/geolite2/
901# This feature relies entirely on that service being available
902#
903# Specify the the two-letter ISO Country Code(s). The iptables rules are for
904# incoming connections only
905#
906# Additionally, ASN numbers can also be added to the comma separated lists
907# below that also list Country Codes. The same WARNINGS for Country Codes apply
908# to the use of ASNs. More about Autonomous System Numbers (ASN):
909# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
910#
911# You should consider using LF_IPSET when using any of the following options
912#
913# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
914# non-geographic IP address designations for their clients
915#
916# WARNING: Some of the CIDR lists are huge and each one requires a rule within
917# the incoming iptables chain. This can result in significant performance
918# overheads and could render the server inaccessible in some circumstances. For
919# this reason (amongst others) we do not recommend using these options
920#
921# WARNING: Due to the resource constraints on VPS servers this feature should
922# not be used on such systems unless you choose very small CC zones
923#
924# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
925# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
926# preferred
927#
928# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
929CC_DENY = ""
930CC_ALLOW = ""
931
932# An alternative to CC_ALLOW is to only allow access from the following
933# countries but still filter based on the port and packets rules. All other
934# connections are dropped
935CC_ALLOW_FILTER = ""
936
937# This option allows access from the following countries to specific ports
938# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
939#
940# Note: The rules for this feature are inserted after the allow and deny
941# rules to still allow blocking of IP addresses
942#
943# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
944CC_ALLOW_PORTS = ""
945
946# All listed ports should be removed from TCP_IN/UDP_IN to block access from
947# elsewhere. This option uses the same format as TCP_IN/UDP_IN
948#
949# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
950# then only counties listed in CC_ALLOW_PORTS can access FTP
951CC_ALLOW_PORTS_TCP = ""
952CC_ALLOW_PORTS_UDP = ""
953
954# This option denies access from the following countries to specific ports
955# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
956#
957# Note: The rules for this feature are inserted after the allow and deny
958# rules to still allow allowing of IP addresses
959#
960# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
961CC_DENY_PORTS = ""
962
963# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
964# NOT be removed from TCP_IN/UDP_IN
965#
966# An example would be to list port 21 here then counties listed in
967# CC_DENY_PORTS cannot access FTP
968CC_DENY_PORTS_TCP = ""
969CC_DENY_PORTS_UDP = ""
970
971# This Country Code list will prevent lfd from blocking IP address hits for the
972# listed CC's
973#
974# CC_LOOKUPS must be enabled to use this option
975CC_IGNORE = ""
976
977# This Country Code list will only allow SMTP AUTH to be advertised to the
978# listed countries in EXIM. This is to help limit attempts at distributed
979# attacks against SMTP AUTH which are difficult to achive since port 25 needs
980# to be open to relay email
981#
982# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
983# connection, then SMTP AUTH will not accept logins, defeating the attacks
984# without restricting mail relaying
985#
986# This option can generate a very large list of IP addresses that could easily
987# severely impact on SMTP (mail) performance, so care must be taken when
988# selecting countries and if performance issues ensue
989#
990# The option SMTPAUTH_RESTRICT must be enabled to use this option
991CC_ALLOW_SMTPAUTH = ""
992
993# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
994# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
995# help reduce the number of CC entries and may improve iptables throughput.
996# Obviously, this will deny/allow fewer IP addresses depending on how small you
997# configure the option
998#
999# For example, to ignore all CIDR (and single IP) entries small than a /16, set
1000# this option to "16". Set to "" to block all CC IP addresses
1001CC_DROP_CIDR = ""
1002
1003# Display Country Code and Country for reported IP addresses. This option can
1004# be configured to use the MaxMind Country Database or the more detailed (and
1005# much larger and therefore slower) MaxMind City Database. An additional option
1006# is also available if you cannot use the MaxMind databases
1007#
1008# "0" - disable
1009# "1" - Reports: Country Code and Country
1010# "2" - Reports: Country Code and Country and Region and City
1011# "3" - Reports: Country Code and Country and Region and City and ASN
1012# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
1013#
1014# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
1015# uses a URL-based lookup from a third-party provider at https://freegeoip.net
1016# and so avoids having to download and process the large databases. Please
1017# visit the https://freegeoip.net and read their limitations and respect that
1018# this option will either cease to function or be removed by us if that site is
1019# abused or overloaded. ONLY use this option if you have difficulties using the
1020# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
1021# CC_* options above, which will continue to use the MaxMind databases
1022#
1023CC_LOOKUPS = "1"
1024
1025# Display Country Code and Country for reported IPv6 addresses using the
1026# MaxMind Country IPv6 Database
1027#
1028# "0" - disable
1029# "1" - enable and report the detail level as specified in CC_LOOKUPS
1030#
1031# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
1032# PORTFLOOD
1033CC6_LOOKUPS = "0"
1034
1035# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
1036# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
1037# days)
1038CC_INTERVAL = "14"
1039
1040###############################################################################
1041# SECTION:Login Failure Blocking and Alerts
1042###############################################################################
1043# The following[*] triggers are application specific. If you set LF_TRIGGER to
1044# "0" the value of each trigger is the number of failures against that
1045# application that will trigger lfd to block the IP address
1046#
1047# If you set LF_TRIGGER to a value greater than "0" then the following[*]
1048# application triggers are simply on or off ("0" or "1") and the value of
1049# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
1050# to block the IP address
1051#
1052# Setting the application trigger to "0" disables it
1053LF_TRIGGER = "0"
1054
1055# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
1056# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
1057# "1" and the IP address will be blocked temporarily for that value in seconds.
1058# For example:
1059# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
1060# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
1061#
1062# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
1063# in the same way as above and LF_TRIGGER_PERM serves no function
1064LF_TRIGGER_PERM = "1"
1065
1066# To only block access to the failed application instead of a complete block
1067# for an ip address, you can set the following to "1", but LF_TRIGGER must be
1068# set to "0" with specific application[*] trigger levels also set appropriately
1069#
1070# The ports that are blocked can be configured by changing the PORTS_* options
1071LF_SELECT = "0"
1072
1073# Send an email alert if an IP address is blocked by one of the [*] triggers
1074LF_EMAIL_ALERT = "1"
1075
1076# [*]Enable login failure detection of sshd connections
1077#
1078# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1079# this file about RESTRICT_SYSLOG before enabling this option:
1080LF_SSHD = "5"
1081LF_SSHD_PERM = "1"
1082
1083# [*]Enable login failure detection of ftp connections
1084#
1085# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1086# this file about RESTRICT_SYSLOG before enabling this option:
1087LF_FTPD = "10"
1088LF_FTPD_PERM = "1"
1089
1090# [*]Enable login failure detection of SMTP AUTH connections
1091LF_SMTPAUTH = "5"
1092LF_SMTPAUTH_PERM = "1"
1093
1094# [*]Enable syntax failure detection of Exim connections
1095LF_EXIMSYNTAX = "10"
1096LF_EXIMSYNTAX_PERM = "1"
1097
1098# [*]Enable login failure detection of pop3 connections
1099#
1100# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1101# this file about RESTRICT_SYSLOG before enabling this option:
1102LF_POP3D = "10"
1103LF_POP3D_PERM = "1"
1104
1105# [*]Enable login failure detection of imap connections
1106#
1107# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1108# this file about RESTRICT_SYSLOG before enabling this option:
1109LF_IMAPD = "10"
1110LF_IMAPD_PERM = "1"
1111
1112# [*]Enable login failure detection of Apache .htpasswd connections
1113# Due to the often high logging rate in the Apache error log, you might want to
1114# enable this option only if you know you are suffering from attacks against
1115# password protected directories
1116LF_HTACCESS = "5"
1117LF_HTACCESS_PERM = "1"
1118
1119# [*]Enable login failure detection of cpanel, webmail and whm connections
1120LF_CPANEL = "5"
1121LF_CPANEL_PERM = "1"
1122
1123# [*]Enable failure detection of repeated Apache mod_security rule triggers
1124LF_MODSEC = "5"
1125LF_MODSEC_PERM = "1"
1126
1127# [*]Enable detection of repeated BIND denied requests
1128# This option should be enabled with care as it will prevent blocked IPs from
1129# resolving any domains on the server. You might want to set the trigger value
1130# reasonably high to avoid this
1131# Example: LF_BIND = "100"
1132LF_BIND = "0"
1133LF_BIND_PERM = "1"
1134
1135# [*]Enable detection of repeated suhosin ALERTs
1136# Example: LF_SUHOSIN = "5"
1137#
1138# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1139# this file about RESTRICT_SYSLOG before enabling this option:
1140LF_SUHOSIN = "0"
1141LF_SUHOSIN_PERM = "1"
1142
1143# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
1144# This option will block IP addresses if cxs detects a hits from the
1145# ModSecurity rule associated with it
1146#
1147# Note: This option takes precedence over LF_MODSEC and removes any hits
1148# counted towards LF_MODSEC for the cxs rule
1149#
1150# This setting should probably set very low, perhaps to 1, if you want to
1151# effectively block IP addresses for this trigger option
1152LF_CXS = "0"
1153LF_CXS_PERM = "1"
1154
1155# [*]Enable detection of repeated Apache mod_qos rule triggers
1156LF_QOS = "0"
1157LF_QOS_PERM = "1"
1158
1159# [*]Enable detection of repeated Apache symlink race condition triggers from
1160# the Apache patch provided by:
1161# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
1162# This patch has also been included by cPanel via the easyapache option:
1163# "Symlink Race Condition Protection"
1164LF_SYMLINK = "0"
1165LF_SYMLINK_PERM = "1"
1166
1167# [*]Enable login failure detection of webmin connections
1168#
1169# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1170# this file about RESTRICT_SYSLOG before enabling this option:
1171LF_WEBMIN = "0"
1172LF_WEBMIN_PERM = "1"
1173
1174# Send an email alert if anyone logs in successfully using SSH
1175#
1176# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1177# this file about RESTRICT_SYSLOG before enabling this option:
1178LF_SSH_EMAIL_ALERT = "1"
1179
1180# Send an email alert if anyone uses su to access another account. This will
1181# send an email alert whether the attempt to use su was successful or not
1182#
1183# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1184# this file about RESTRICT_SYSLOG before enabling this option:
1185LF_SU_EMAIL_ALERT = "1"
1186
1187# Send an email alert if anyone accesses webmin
1188#
1189# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1190# this file about RESTRICT_SYSLOG before enabling this option:
1191LF_WEBMIN_EMAIL_ALERT = "1"
1192
1193# Send an email alert if anyone logs in successfully to root on the console
1194#
1195# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1196# this file about RESTRICT_SYSLOG before enabling this option:
1197LF_CONSOLE_EMAIL_ALERT = "1"
1198
1199# This option will keep track of the number of "File does not exist" errors in
1200# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
1201# seconds then the IP address will be blocked
1202#
1203# Care should be used with this option as it could generate many
1204# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
1205# so only use this option if you know you are under this type of attack
1206#
1207# A sensible setting for this would be quite high, perhaps 200
1208#
1209# To disable set to "0"
1210LF_APACHE_404 = "0"
1211
1212# If this option is set to 1 the blocks will be permanent
1213# If this option is > 1, the blocks will be temporary for the specified number
1214# of seconds
1215LF_APACHE_404_PERM = "3600"
1216
1217# This option will keep track of the number of "client denied by server
1218# configuration" errors in HTACCESS_LOG. If the number of hits is more than
1219# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
1220#
1221# Care should be used with this option as it could generate many
1222# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
1223# so only use this option if you know you are under this type of attack
1224#
1225# To disable set to "0"
1226LF_APACHE_403 = "0"
1227
1228# If this option is set to 1 the blocks will be permanent
1229# If this option is > 1, the blocks will be temporary for the specified number
1230# of seconds
1231LF_APACHE_403_PERM = "3600"
1232
1233# This option will keep track of the number of 401 failures in HTACCESS_LOG.
1234# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
1235# the IP address will be blocked
1236#
1237# To disable set to "0"
1238LF_APACHE_401 = "0"
1239
1240# If this option is set to 1 the blocks will be permanent
1241# If this option is > 1, the blocks will be temporary for the specified number
1242# of seconds
1243LF_APACHE_401_PERM = "3600"
1244
1245# This option is used to determine if the Apache error_log format contains the
1246# client port after the client IP. In Apache prior to v2.4, this was not the
1247# case. In Apache v2.4+ the error_log format can be configured using
1248# ErrorLogFormat, making the port directive optional
1249#
1250# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
1251# to the client IP by default. This makes determining client IPv6 addresses
1252# difficult unless we know whether the port is being appended or not
1253#
1254# lfd will attempt to autodetect the correct value if this option is set to "0"
1255# from the httpd binary found in common locations. If it fails to find a binary
1256# it will be set to "2", unless specified here
1257#
1258# The value can be set here explicitly if the autodetection does not work:
1259# 0 - autodetect
1260# 1 - no port directive after client IP
1261# 2 - port directive after client IP
1262LF_APACHE_ERRPORT = "0"
1263
1264# Send an email alert if anyone accesses WHM/cPanel via an account listed in
1265# LF_CPANEL_ALERT_USERS. An IP address will be reported again 1 hour after the
1266# last tracked access (or if lfd is restarted)
1267LF_CPANEL_ALERT = "1"
1268
1269# If a LF_CPANEL_ALERT event is triggered, then if the following contains the
1270# path to a script, it will run the script and passed the ip and username and
1271# the DNS IP lookup result as 3 arguments
1272#
1273# The action script must have the execute bit and interpreter (shebang) set
1274LF_CPANEL_ALERT_ACTION = ""
1275
1276# This is a comma separated list of accounts to send alerts for. To send an
1277# alert for all accounts set this to "all"
1278LF_CPANEL_ALERT_USERS = "root"
1279
1280# This settings re-enables the cPanel Bandwith chains after iptables is
1281# configured. If bandmin is not functioning, or you don't use the bandmin stats
1282# you can disable this option
1283LF_CPANEL_BANDMIN = "1"
1284
1285# Enable scanning of the exim mainlog for repeated emails sent from scripts.
1286# To use this feature the exim log_selector option must at least be set to:
1287#
1288# log_selector = +arguments +subject +received_recipients
1289#
1290# If you already use extended exim logging, then you need to either include
1291# +arguments +received_recipients or use +all
1292#
1293# This setting will then send an alert email if more than LF_SCRIPT_LIMIT lines
1294# appear with the same cwd= path in them within an hour. This can be useful in
1295# identifying spamming scripts on a server, especially PHP scripts running
1296# under the nobody account. The email that is sent includes the exim log lines
1297# and also attempts to find scripts that send email in the path that may be the
1298# culprit
1299LF_SCRIPT_ALERT = "0"
1300
1301# The limit afterwhich the email alert for email scripts is sent. Care should
1302# be taken with this value if you allow clients to use web scripts to maintain
1303# pseudo-mailing lists which have large recipients
1304LF_SCRIPT_LIMIT = "100"
1305
1306# If an LF_SCRIPT_ALERT event is triggered, then if the following can contain
1307# the path to a script, it will be run in a child process and passed the
1308# following information as parameters which also appears in the email alert:
1309# Path to the directory containing the script that is sending the email
1310# Count of emails sent
1311# Sample of the first 10 emails
1312# List of possible email scripts within Path
1313#
1314# The action script must have the execute bit and interpreter (shebang) set
1315LF_SCRIPT_ACTION = ""
1316
1317# If this option is enabled, the directory identified by LF_SCRIPT_ALERT will
1318# be chmod 0 and chattr +i to prevent it being accessed. Set the option to 1
1319# to enable.
1320#
1321# WARNING: This option could cause serious system problems if the identified
1322# directory is within the OS directory hierarchy. For this reason we do not
1323# recommend enabling it unless absolutely necessary.
1324LF_SCRIPT_PERM = "0"
1325
1326# Checks the length of the exim queue and sends an alert email if the value of
1327# settings is exceeded. If the ConfigServer MailScanner configuration is used
1328# then both the pending and delivery queues will be checked.
1329#
1330# Note: If there are problems sending out email, this alert may not be received
1331# To disable set to "0"
1332LF_QUEUE_ALERT = "2000"
1333
1334# The interval between mail queue checks in seconds. This should not be set too
1335# low on servers that often have long queues as the exim binary can use
1336# significant resources when checking its queue length
1337LF_QUEUE_INTERVAL = "300"
1338
1339# This option will send an alert if the ModSecurity IP persistent storage grows
1340# excessively large: https://goo.gl/rGh5sF
1341#
1342# More information on cPanel servers here: https://goo.gl/vo6xTE
1343#
1344# The check is performed at lfd startup and then once per hour, the template
1345# used is modsecipdbalert.txt
1346#
1347# LF_MODSECIPDB_FILE must be set to the correct location of the database file
1348#
1349# Set to "0" to disable this option, otherwise it is the threshold size of the
1350# file to report in gigabytes, e.g. set to 5 for 5GB
1351LF_MODSECIPDB_ALERT = "5"
1352
1353# This is the location of the persistent IP storage file on the server, e.g.:
1354# /var/run/modsecurity/data/ip.pag
1355# /var/cpanel/secdatadir/ip.pag
1356# /var/cache/modsecurity/ip.pag
1357# /usr/local/apache/conf/modsec/data/msa/ip.pag
1358# /var/tmp/ip.pag
1359# /tmp/ip.pag
1360LF_MODSECIPDB_FILE = "/var/cpanel/secdatadir/ip.pag"
1361
1362# System Exploit Checking. This option is designed to perform a series of tests
1363# to send an alert in case a possible server compromise is detected
1364#
1365# To enable this feature set the following to the checking interval in seconds
1366# (a value of 300 would seem sensible).
1367#
1368# To disable set to "0"
1369LF_EXPLOIT = "300"
1370
1371# This comma separated list allows you to ignore tests LF_EXPLOIT performs
1372#
1373# For the SUPERUSER check, you can list usernames in csf.suignore to have them
1374# ignored for that test
1375#
1376# Valid tests are:
1377# SUPERUSER,SSHDSPAM
1378#
1379# If you want to ignore a test add it to this as a comma separated list, e.g.
1380# "SUPERUSER,SSHDSPAM"
1381LF_EXPLOIT_IGNORE = ""
1382
1383# Set the time interval to track login and other LF_ failures within (seconds),
1384# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
1385LF_INTERVAL = "3600"
1386
1387# This is how long the lfd process sleeps (in seconds) before processing the
1388# log file entries and checking whether other events need to be triggered
1389LF_PARSE = "5"
1390
1391# This is the interval that is used to flush reports of usernames, files and
1392# pids so that persistent problems continue to be reported, in seconds.
1393# A value of 3600 seems sensible
1394LF_FLUSH = "3600"
1395
1396# Under some circumstances iptables can fail to include a rule instruction,
1397# especially if more than one request is made concurrently. In this event, a
1398# permanent block entry may exist in csf.deny, but not in iptables.
1399#
1400# This option instructs csf to deny an already blocked IP address the number
1401# of times set. The downside, is that there will be multiple entries for an IP
1402# address in csf.deny and possibly multiple rules for the same IP address in
1403# iptables. This needs to be taken into consideration when unblocking such IP
1404# addresses.
1405#
1406# Set to "0" to disable this feature. Do not set this too high for the reasons
1407# detailed above (e.g. "5" should be more than enough)
1408LF_REPEATBLOCK = "0"
1409
1410# By default csf will create both an inbound and outbound blocks from/to an IP
1411# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
1412# effective way to block IP traffic. This option instructs csf to only block
1413# inbound traffic from those IP's and so reduces the number of iptables rules,
1414# but at the expense of less effectiveness. For this reason we recommend
1415# leaving this option disabled
1416#
1417# Set to "0" to disable this feature - the default
1418LF_BLOCKINONLY = "0"
1419
1420###############################################################################
1421# SECTION:CloudFlare
1422###############################################################################
1423# This features provides interaction with the CloudFlare Firewall
1424#
1425# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as
1426# iptables is concerned) come from the CloudFlare IP's. To counter this, an
1427# Apache module (mod_cloudflare) is available that obtains the true attackers
1428# IP from a custom HTTP header record (similar functionality is available
1429# for other HTTP daemons
1430#
1431# However, despite now knowing the true attacking IP address, iptables cannot
1432# be used to block that IP as the traffic is still coming from the CloudFlare
1433# servers
1434#
1435# CloudFlare have provided a Firewall feature within the user account where
1436# rules can be added to block, challenge or whitelist IP addresses
1437#
1438# Using the CloudFlare API, this feature adds and removes attacking IPs from
1439# that firewall and provides CLI (and via the UI) additional commands
1440#
1441# See /etc/csf/readme.txt for more information about this feature and the
1442# restrictions for its use BEFORE enabling this feature
1443CF_ENABLE = "0"
1444
1445# If the CloudFlare user plugin has been installed, enable this setting to use
1446# per cPanel account settings rather than listing each account in
1447# /etc/csf/csf.cloudflare
1448CF_CPANEL = ""
1449
1450# This can be set to either "block" or "challenge" (see CloudFlare docs)
1451CF_BLOCK = "block"
1452
1453# This setting determines how long the temporary block will apply within csf
1454# and CloudFlare, keeping them in sync
1455#
1456# Block duration in seconds - overrides perm block or time of individual blocks
1457# in lfd for block triggers
1458CF_TEMP = "3600"
1459
1460###############################################################################
1461# SECTION:Directory Watching & Integrity
1462###############################################################################
1463# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
1464# directories for suspicious files, i.e. script exploits. If a suspicious
1465# file is found an email alert is sent. One alert per file per LF_FLUSH
1466# interval is sent
1467#
1468# To enable this feature set the following to the checking interval in seconds.
1469# To disable set to "0"
1470LF_DIRWATCH = "300"
1471
1472# To remove any suspicious files found during directory watching, enable the
1473# following. These files will be appended to a tarball in
1474# /var/lib/suspicious.tar
1475LF_DIRWATCH_DISABLE = "0"
1476
1477# This option allows you to have lfd watch a particular file or directory for
1478# changes and should they change and email alert using watchalert.txt is sent
1479#
1480# To enable this feature set the following to the checking interval in seconds
1481# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
1482#
1483# Set to disable set to "0"
1484LF_DIRWATCH_FILE = "0"
1485
1486# System Integrity Checking. This enables lfd to compare md5sums of the
1487# servers OS binary application files from the time when lfd starts. If the
1488# md5sum of a monitored file changes an alert is sent. This option is intended
1489# as an IDS (Intrusion Detection System) and is the last line of detection for
1490# a possible root compromise.
1491#
1492# There will be constant false-positives as the servers OS is updated or
1493# monitored application binaries are updated. However, unexpected changes
1494# should be carefully inspected.
1495#
1496# Modified files will only be reported via email once.
1497#
1498# To enable this feature set the following to the checking interval in seconds
1499# (a value of 3600 would seem sensible). This option may increase server I/O
1500# load onto the server as it checks system binaries.
1501#
1502# To disable set to "0"
1503LF_INTEGRITY = "3600"
1504
1505###############################################################################
1506# SECTION:Distributed Attacks
1507###############################################################################
1508# Distributed Account Attack. This option will keep track of login failures
1509# from distributed IP addresses to a specific application account. If the
1510# number of failures matches the trigger value above, ALL of the IP addresses
1511# involved in the attack will be blocked according to the temp/perm rules above
1512#
1513# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD,
1514# LF_HTACCESS
1515#
1516# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1517# this file about RESTRICT_SYSLOG before enabling this option:
1518LF_DISTATTACK = "0"
1519
1520# Set the following to the minimum number of unique IP addresses that trigger
1521# LF_DISTATTACK
1522LF_DISTATTACK_UNIQ = "2"
1523
1524# Distributed FTP Logins. This option will keep track of successful FTP logins.
1525# If the number of successful logins to an individual account is at least
1526# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
1527# then all of the IP addresses will be blocked
1528#
1529# This option can help mitigate the common FTP account compromise attacks that
1530# use a distributed network of zombies to deface websites
1531#
1532# A sensible setting for this might be 5, depending on how many different
1533# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
1534#
1535# To disable set to "0"
1536#
1537# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1538# this file about RESTRICT_SYSLOG before enabling this option:
1539LF_DISTFTP = "0"
1540
1541# Set the following to the minimum number of unique IP addresses that trigger
1542# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
1543LF_DISTFTP_UNIQ = "3"
1544
1545# If this option is set to 1 the blocks will be permanent
1546# If this option is > 1, the blocks will be temporary for the specified number
1547# of seconds
1548LF_DISTFTP_PERM = "1"
1549
1550# Send an email alert if LF_DISTFTP is triggered
1551LF_DISTFTP_ALERT = "1"
1552
1553# Distributed SMTP Logins. This option will keep track of successful SMTP
1554# logins. If the number of successful logins to an individual account is at
1555# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
1556# addresses, then all of the IP addresses will be blocked. These options only
1557# apply to the exim MTA
1558#
1559# This option can help mitigate the common SMTP account compromise attacks that
1560# use a distributed network of zombies to send spam
1561#
1562# A sensible setting for this might be 5, depending on how many different
1563# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
1564#
1565# To disable set to "0"
1566LF_DISTSMTP = "0"
1567
1568# Set the following to the minimum number of unique IP addresses that trigger
1569# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
1570LF_DISTSMTP_UNIQ = "3"
1571
1572# If this option is set to 1 the blocks will be permanent
1573# If this option is > 1, the blocks will be temporary for the specified number
1574# of seconds
1575LF_DISTSMTP_PERM = "1"
1576
1577# Send an email alert if LF_DISTSMTP is triggered
1578LF_DISTSMTP_ALERT = "1"
1579
1580# This is the interval during which a distributed FTP or SMTP attack is
1581# measured
1582LF_DIST_INTERVAL = "300"
1583
1584# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
1585# path to a script, it will run the script and pass the following as arguments:
1586#
1587# LF_DISTFTP/LF_DISTSMTP
1588# account name
1589# log file text
1590#
1591# The action script must have the execute bit and interpreter (shebang) set
1592LF_DIST_ACTION = ""
1593
1594###############################################################################
1595# SECTION:Login Tracking
1596###############################################################################
1597# Block POP3 logins if greater than LT_POP3D times per hour per account per IP
1598# address (0=disabled)
1599#
1600# This is a temporary block for the rest of the hour, afterwhich the IP is
1601# unblocked
1602#
1603# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1604# this file about RESTRICT_SYSLOG before enabling this option:
1605LT_POP3D = "0"
1606
1607# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
1608# address (0=disabled) - not recommended for IMAP logins due to the ethos
1609# within which IMAP works. If you want to use this, setting it quite high is
1610# probably a good idea
1611#
1612# This is a temporary block for the rest of the hour, afterwhich the IP is
1613# unblocked
1614#
1615# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1616# this file about RESTRICT_SYSLOG before enabling this option:
1617LT_IMAPD = "0"
1618
1619# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
1620# per IP
1621LT_EMAIL_ALERT = "1"
1622
1623# If LF_PERMBLOCK is enabled but you do not want this to apply to
1624# LT_POP3D/LT_IMAPD, then enable this option
1625LT_SKIPPERMBLOCK = "0"
1626
1627###############################################################################
1628# SECTION:Relay Tracking
1629###############################################################################
1630# Relay Tracking. This allows you to track email that is relayed through the
1631# server. There are also options to send alerts and block external IP addresses
1632# if the number of emails relayed per hour exceeds configured limits. The
1633# blocks can be either permanent or temporary.
1634#
1635# The following information applies to each of the following types of relay
1636# check:
1637# RT_[relay type]_ALERT: 0 = disable, 1 = enable
1638# RT_[relay type]_LIMIT: the limit/hour afterwhich an email alert will be sent
1639# RT_[relay type]_BLOCK: 0 = no block;1 = perm block;nn=temp block for nn secs
1640
1641# This option triggers for external email
1642RT_RELAY_ALERT = "1"
1643RT_RELAY_LIMIT = "100"
1644RT_RELAY_BLOCK = "0"
1645
1646# This option triggers for email authenticated by SMTP AUTH
1647RT_AUTHRELAY_ALERT = "1"
1648RT_AUTHRELAY_LIMIT = "100"
1649RT_AUTHRELAY_BLOCK = "0"
1650
1651# This option triggers for email authenticated by POP before SMTP
1652RT_POPRELAY_ALERT = "1"
1653RT_POPRELAY_LIMIT = "100"
1654RT_POPRELAY_BLOCK = "0"
1655
1656# This option triggers for email sent via /usr/sbin/sendmail or /usr/sbin/exim
1657RT_LOCALRELAY_ALERT = "1"
1658RT_LOCALRELAY_LIMIT = "100"
1659
1660# This option triggers for email sent via a local IP addresses
1661RT_LOCALHOSTRELAY_ALERT = "1"
1662RT_LOCALHOSTRELAY_LIMIT = "100"
1663
1664# If an RT_* event is triggered, then if the following contains the path to
1665# a script, it will be run in a child process and passed the following:
1666# information as parameters which also appears in the email alert:
1667# IP Address
1668# Relay Type (RELAY/AUTHRELAY/POPRELAY/LOCALRELAY/LOCALHOSTRELAY)
1669# Block Message (Temporary/Permanent Block)
1670# Count of emails relayed
1671# Sample of the first 10 emails
1672#
1673# The action script must have the execute bit and interpreter (shebang) set
1674RT_ACTION = ""
1675
1676###############################################################################
1677# SECTION:Connection Tracking
1678###############################################################################
1679# Connection Tracking. This option enables tracking of all connections from IP
1680# addresses to the server. If the total number of connections is greater than
1681# this value then the offending IP address is blocked. This can be used to help
1682# prevent some types of DOS attack.
1683#
1684# Care should be taken with this option. It's entirely possible that you will
1685# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
1686# and HTTP so it could be quite easy to trigger, especially with a lot of
1687# closed connections in TIME_WAIT. However, for a server that is prone to DOS
1688# attacks this may be very useful. A reasonable setting for this option might
1689# be around 300.
1690#
1691# To disable this feature, set this to 0
1692CT_LIMIT = "0"
1693
1694# Connection Tracking interval. Set this to the the number of seconds between
1695# connection tracking scans
1696CT_INTERVAL = "30"
1697
1698# Send an email alert if an IP address is blocked due to connection tracking
1699CT_EMAIL_ALERT = "1"
1700
1701# If you want to make IP blocks permanent then set this to 1, otherwise blocks
1702# will be temporary and will be cleared after CT_BLOCK_TIME seconds
1703CT_PERMANENT = "0"
1704
1705# If you opt for temporary IP blocks for CT, then the following is the interval
1706# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
1707CT_BLOCK_TIME = "1800"
1708
1709# If you don't want to count the TIME_WAIT state against the connection count
1710# then set the following to "1"
1711CT_SKIP_TIME_WAIT = "0"
1712
1713# If you only want to count specific states (e.g. SYN_RECV) then add the states
1714# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
1715#
1716# Leave this option empty to count all states against CT_LIMIT
1717CT_STATES = ""
1718
1719# If you only want to count specific ports (e.g. 80,443) then add the ports
1720# to the following as a comma separated list. E.g. "80,443"
1721#
1722# Leave this option empty to count all ports against CT_LIMIT
1723CT_PORTS = ""
1724
1725###############################################################################
1726# SECTION:Process Tracking
1727###############################################################################
1728# Process Tracking. This option enables tracking of user and nobody processes
1729# and examines them for suspicious executables or open network ports. Its
1730# purpose is to identify potential exploit processes that are running on the
1731# server, even if they are obfuscated to appear as system services. If a
1732# suspicious process is found an alert email is sent with relevant information.
1733# It is then the responsibility of the recipient to investigate the process
1734# further as the script takes no further action
1735#
1736# The following is the number of seconds a process has to be active before it
1737# is inspected. If you set this time too low, then you will likely trigger
1738# false-positives with CGI or PHP scripts.
1739# Set the value to 0 to disable this feature
1740PT_LIMIT = "60"
1741
1742# How frequently processes are checked in seconds
1743PT_INTERVAL = "60"
1744
1745# If you want process tracking to highlight php or perl scripts that are run
1746# through apache then disable the following,
1747# i.e. set it to 0
1748#
1749# While enabling this setting will reduce false-positives, having it set to 0
1750# does provide better checking for exploits running on the server
1751PT_SKIP_HTTP = "0"
1752
1753# If you want to track all linux accounts on a cPanel server, not just users
1754# that are part of cPanel, then enable this option. This is recommended to
1755# improve security from compromised accounts
1756#
1757# Set to 0 to disable the feature, 1 to enable it
1758PT_ALL_USERS = "0"
1759
1760# lfd will report processes, even if they're listed in csf.pignore, if they're
1761# tagged as (deleted) by Linux. This information is provided in Linux under
1762# /proc/PID/exe. A (deleted) process is one that is running a binary that has
1763# the inode for the file removed from the file system directory. This usually
1764# happens when the binary has been replaced due to an upgrade for it by the OS
1765# vendor or another third party (e.g. cPanel). You need to investigate whether
1766# this is indeed the case to be sure that the original binary has not been
1767# replaced by a rootkit or is running an exploit.
1768#
1769# Note: If a deleted executable process is detected and reported then lfd will
1770# not report children of the parent (or the parent itself if a child triggered
1771# the report) if the parent is also a deleted executable process
1772#
1773# To stop lfd reporting such process you need to restart the daemon to which it
1774# belongs and therefore run the process using the replacement binary (presuming
1775# one exists). This will normally mean running the associated startup script in
1776# /etc/init.d/
1777#
1778# If you do want lfd to report deleted binary processes, set to 1
1779PT_DELETED = "0"
1780
1781# If a PT_DELETED event is triggered, then if the following contains the path to
1782# a script, it will be run in a child process and passed the executable, pid,
1783# account for the process, and parent pid
1784#
1785# The action script must have the execute bit and interpreter (shebang) set. An
1786# example is provided in /usr/local/csf/bin/pt_deleted_action.pl
1787#
1788# WARNING: Make sure you read and understand the potential security
1789# implications of such processes in PT_DELETED above before simply restarting
1790# such processes with a script
1791PT_DELETED_ACTION = ""
1792
1793# User Process Tracking. This option enables the tracking of the number of
1794# process any given account is running at one time. If the number of processes
1795# exceeds the value of the following setting an email alert is sent with
1796# details of those processes. If you specify a user in csf.pignore it will be
1797# ignored
1798#
1799# Set to 0 to disable this feature
1800PT_USERPROC = "10"
1801
1802# This User Process Tracking option sends an alert if any user process exceeds
1803# the virtual memory usage set (MB). To ignore specific processes or users use
1804# csf.pignore
1805#
1806# Set to 0 to disable this feature
1807PT_USERMEM = "512"
1808
1809# This User Process Tracking option sends an alert if any user process exceeds
1810# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific
1811# processes or users use csf.pignore
1812#
1813# Set to 0 to disable this feature
1814PT_USERRSS = "256"
1815
1816# This User Process Tracking option sends an alert if any cPanel user process
1817# exceeds the time usage set (seconds). To ignore specific processes or users
1818# use csf.pignore
1819#
1820# Set to 0 to disable this feature
1821PT_USERTIME = "1800"
1822
1823# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
1824# PT_USERPROC are killed
1825#
1826# Warning: We don't recommend enabling this option unless absolutely necessary
1827# as it can cause unexpected problems when processes are suddenly terminated.
1828# It can also lead to system processes being terminated which could cause
1829# stability issues. It is much better to leave this option disabled and to
1830# investigate each case as it is reported when the triggers above are breached
1831#
1832# Note: Processes that are running deleted excecutables (see PT_DELETED) will
1833# not be killed by lfd
1834PT_USERKILL = "0"
1835
1836# If you want to disable email alerts if PT_USERKILL is triggered, then set
1837# this option to 0
1838PT_USERKILL_ALERT = "1"
1839
1840# If a PT_* event is triggered, then if the following contains the path to
1841# a script, it will be run in a child process and passed the PID(s) of the
1842# process(es) in a comma separated list.
1843#
1844# The action script must have the execute bit and interpreter (shebang) set
1845PT_USER_ACTION = ""
1846
1847# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
1848# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
1849# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
1850# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
1851# seconds has passed to prevent email floods.
1852#
1853# Set PT_LOAD to "0" to disable this feature
1854PT_LOAD = "30"
1855PT_LOAD_AVG = "5"
1856PT_LOAD_LEVEL = "6"
1857PT_LOAD_SKIP = "3600"
1858
1859# This is the Apache Server Status URL used in the email alert. Requires the
1860# Apache mod_status module to be installed and configured correctly
1861PT_APACHESTATUS = "http://127.0.0.1/whm-server-status"
1862
1863# If a PT_LOAD event is triggered, then if the following contains the path to
1864# a script, it will be run in a child process. For example, the script could
1865# contain commands to terminate and restart httpd, php, exim, etc incase of
1866# looping processes. The action script must have the execute bit an
1867# interpreter (shebang) set
1868PT_LOAD_ACTION = ""
1869
1870# Fork Bomb Protection. This option checks the number of processes with the
1871# same session id and if greater than the value set, the whole session tree is
1872# terminated and an alert sent
1873#
1874# You can see an example of common session id processes on most Linux systems
1875# using: "ps axf -O sid"
1876#
1877# On cPanel servers, PT_ALL_USERS should be enabled to use this option
1878# effectively
1879#
1880# This option will check root owned processes. Session id 0 and 1 will always
1881# be ignored as they represent kernel and init processes. csf.pignore will be
1882# honoured, but bear in mind that a session tree can contain a variety of users
1883# and executables
1884#
1885# Care needs to be taken to ensure that this option only detects runaway fork
1886# bombs, so should be set higher than any session tree is likely to get (e.g.
1887# httpd could have 100s of legitimate children on very busy systems). A
1888# sensible starting point on most servers might be 250
1889PT_FORKBOMB = "0"
1890
1891# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes
1892# are often left hanging after their connecting IP addresses have been blocked
1893#
1894# This option will terminate the SSH processes created by the blocked IP. This
1895# option is preferred over PT_SSHDHUNG
1896PT_SSHDKILL = "0"
1897
1898# This option will terminate all processes with the cmdline of "sshd: unknown
1899# [net]" or "sshd: unknown [priv]" if they have been running for more than 60
1900# seconds
1901#
1902# This option is now deprecated and will be removed in the future. PT_SSHDKILL
1903# should be used instead
1904PT_SSHDHUNG = "0"
1905
1906###############################################################################
1907# SECTION:Port Scan Tracking
1908###############################################################################
1909# Port Scan Tracking. This feature tracks port blocks logged by iptables to
1910# syslog. If an IP address generates a port block that is logged more than
1911# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
1912#
1913# This feature could, for example, be useful for blocking hackers attempting
1914# to access the standard SSH port if you have moved it to a port other than 22
1915# and have removed 22 from the TCP_IN list so that connection attempts to the
1916# old port are being logged
1917#
1918# This feature blocks all iptables blocks from the iptables logs, including
1919# repeated attempts to one port or SYN flood blocks, etc
1920#
1921# Note: This feature will only track iptables blocks from the log file set in
1922# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
1923# cause redundant blocking with DROP_IP_LOGGING enabled
1924#
1925# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
1926# could very quickly fill the iptables rule chains and cause a DOS in itself.
1927# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
1928# and the DENY_TEMP_IP_LIMIT with temporary blocks
1929#
1930# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1931# would be sensible to enable this feature
1932#
1933# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1934# this file about RESTRICT_SYSLOG before enabling this option:
1935PS_INTERVAL = "0"
1936PS_LIMIT = "10"
1937
1938# You can specify the ports and/or port ranges that should be tracked by the
1939# Port Scan Tracking feature. The following setting is a comma separated list
1940# of those ports and uses the same format as TCP_IN. The setting of
1941# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports
1942#
1943# Special values are:
1944# ICMP - include ICMP blocks (see ICMP_*)
1945# INVALID - include INVALID blocks (see PACKET_FILTER)
1946# OPEN - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
1947# BRD - include UDP Broadcast IPs, otherwise they are ignored
1948PS_PORTS = "0:65535,ICMP"
1949
1950# To specify how many different ports qualifies as a Port Scan you can increase
1951# the following from the default value of 1. The risk in doing so will mean
1952# that persistent attempts to attack a specific closed port will not be
1953# detected and blocked
1954PS_DIVERSITY = "1"
1955
1956# You can select whether IP blocks for Port Scan Tracking should be temporary
1957# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
1958# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
1959# temporarily block the IP address for
1960PS_PERMANENT = "0"
1961PS_BLOCK_TIME = "3600"
1962
1963# Set the following to "1" to enable Port Scan Tracking email alerts, set to
1964# "0" to disable them
1965PS_EMAIL_ALERT = "1"
1966
1967###############################################################################
1968# SECTION:User ID Tracking
1969###############################################################################
1970# User ID Tracking. This feature tracks UID blocks logged by iptables to
1971# syslog. If a UID generates a port block that is logged more than UID_LIMIT
1972# times within UID_INTERVAL seconds, an alert will be sent
1973#
1974# Note: This feature will only track iptables blocks from the log file set in
1975# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.
1976#
1977# To ignore specific UIDs list them in csf.uidignore and then restart lfd
1978#
1979# Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1980# would be sensible to enable this feature
1981#
1982# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1983# this file about RESTRICT_SYSLOG before enabling this option:
1984UID_INTERVAL = "0"
1985UID_LIMIT = "10"
1986
1987# You can specify the ports and/or port ranges that should be tracked by the
1988# User ID Tracking feature. The following setting is a comma separated list
1989# of those ports and uses the same format as TCP_OUT. The default setting of
1990# 0:65535,ICMP covers all ports
1991UID_PORTS = "0:65535,ICMP"
1992
1993###############################################################################
1994# SECTION:Account Tracking
1995###############################################################################
1996# Account Tracking. The following options enable the tracking of modifications
1997# to the accounts on a server. If any of the enabled options are triggered by
1998# a modifications to an account, an alert email is sent. Only the modification
1999# is reported. The cause of the modification will have to be investigated
2000# manually
2001#
2002# You can set AT_ALERT to the following:
2003# 0 = disable this feature
2004# 1 = enable this feature for all accounts
2005# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
2006# 3 = enable this feature only for the root account
2007AT_ALERT = "2"
2008
2009# This options is the interval between checks in seconds
2010AT_INTERVAL = "60"
2011
2012# Send alert if a new account is created
2013AT_NEW = "1"
2014
2015# Send alert if an existing account is deleted
2016AT_OLD = "1"
2017
2018# Send alert if an account password has changed
2019AT_PASSWD = "1"
2020
2021# Send alert if an account uid has changed
2022AT_UID = "1"
2023
2024# Send alert if an account gid has changed
2025AT_GID = "1"
2026
2027# Send alert if an account login directory has changed
2028AT_DIR = "1"
2029
2030# Send alert if an account login shell has changed
2031AT_SHELL = "1"
2032
2033###############################################################################
2034# SECTION:Integrated User Interface
2035###############################################################################
2036# Integrated User Interface. This feature provides a HTML UI to csf and lfd,
2037# without requiring a control panel or web server. The UI runs as a sub process
2038# to the lfd daemon
2039#
2040# As it runs under the root account and successful login provides root access
2041# to the server, great care should be taken when configuring and using this
2042# feature. There are additional restrictions to enhance secure access to the UI
2043#
2044# See readme.txt for more information about using this feature BEFORE enabling
2045# it for security and access reasons
2046#
2047# 1 to enable, 0 to disable
2048UI = "0"
2049
2050# Set this to the port that want to bind this service to. You should configure
2051# this port to be >1023 and different from any other port already being used
2052#
2053# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
2054# to the port using Advanced Allow Filters (see readme.txt)
2055UI_PORT = "6666"
2056
2057# Optionally set the IP address to bind to. Normally this should be left blank
2058# to bind to all IP addresses on the server.
2059#
2060# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
2061# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
2062# ::ffff:1.2.3.4
2063#
2064# Leave blank to bind to all IP addresses on the server
2065UI_IP = ""
2066
2067# This should be a secure, hard to guess username
2068#
2069# This must be changed from the default
2070UI_USER = "username"
2071
2072# This should be a secure, hard to guess password. That is, at least 8
2073# characters long with a mixture of upper and lowercase characters plus
2074# numbers and non-alphanumeric characters
2075#
2076# This must be changed from the default
2077UI_PASS = "password"
2078
2079# This is the login session timeout. If there is no activity for a logged in
2080# session within this number of seconds, the session will timeout and a new
2081# login will be required
2082#
2083# For security reasons, you should always keep this option low (i.e 60-300)
2084UI_TIMEOUT = "300"
2085
2086# This is the maximum concurrent connections allowed to the server. The default
2087# value should be sufficient
2088UI_CHILDREN = "5"
2089
2090# The number of login retries allowed within a 24 hour period. A successful
2091# login from the IP address will clear the failures
2092#
2093# For security reasons, you should always keep this option low (i.e 0-10)
2094UI_RETRY = "5"
2095
2096# If enabled, this option will add the connecting IP address to the file
2097# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
2098# able to login to the UI while it is listed in this file. The UI_BAN setting
2099# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
2100# csf.ignore, etc.
2101#
2102# For security reasons, you should always enable this option
2103UI_BAN = "1"
2104
2105# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will
2106# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of
2107# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.
2108#
2109# For security reasons, you should always enable this option and use ui.allow
2110UI_ALLOW = "1"
2111
2112# If enabled, this option will trigger an iptables block through csf after
2113# UI_RETRY login failures
2114#
2115# 0 = no block;1 = perm block;nn=temp block for nn secs
2116UI_BLOCK = "1"
2117
2118# This controls what email alerts are sent with regards to logins to the UI. It
2119# uses the uialert.txt template
2120#
2121# 4 = login success + login failure/ban/block + login attempts
2122# 3 = login success + login failure/ban/block
2123# 2 = login failure/ban/block
2124# 1 = login ban/block
2125# 0 = disabled
2126UI_ALERT = "4"
2127
2128# This is the SSL cipher list that the Integrated UI will negotiate from
2129UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"
2130
2131# This is the SSL protocol version used. See IO::Socket::SSL if you wish to
2132# change this and to understand the implications of changing it
2133UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"
2134
2135# If cxs is installed then enabling this option will provide a dropdown box to
2136# switch between applications
2137UI_CXS = "0"
2138
2139# There is a modified installation of ConfigServer Explorer (cse) provided with
2140# the csf distribution. If this option is enabled it will provide a dropdown
2141# box to switch between applications
2142UI_CSE = "0"
2143
2144###############################################################################
2145# SECTION:Messenger service
2146###############################################################################
2147# Messenger service. This feature allows the display of a message to a blocked
2148# connecting IP address to inform the user that they are blocked in the
2149# firewall. This can help when users get themselves blocked, e.g. due to
2150# multiple login failures. The service is provided by two daemons running on
2151# ports providing either an HTML or TEXT message
2152#
2153# This feature does not work on servers that do not have the iptables module
2154# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
2155# server admins should check with their VPS host provider that the iptables
2156# module is included
2157#
2158# For further information on features and limitations refer to the csf
2159# readme.txt
2160#
2161# Note: Run /etc/csf/csftest.pl to check whether this option will function on
2162# this server
2163#
2164# 1 to enable, 0 to disable
2165MESSENGER = "0"
2166
2167# Provide this service to temporary IP address blocks
2168MESSENGER_TEMP = "1"
2169
2170# Provide this service to permanent IP address blocks
2171MESSENGER_PERM = "1"
2172
2173# User account to run the service servers under. We recommend creating a
2174# specific non-priv, non-shell account for this purpose
2175#
2176# Note: When using MESSENGERV2, this account must NOT be a valid cPanel account
2177# it must be created manually as explained in the csf readme.txt
2178MESSENGER_USER = "csf"
2179
2180# This is the maximum concurrent connections allowed to each service server
2181MESSENGER_CHILDREN = "10"
2182
2183# MESSENGERV2. This option is available on cPanel servers running Apache v2.4+
2184# under EA4.
2185#
2186# This uses the Apache http daemon to provide the web server functionality for
2187# the MESSENGER HTML and HTTPS services. It uses a fraction of the resources
2188# that the lfd inbuilt service uses and overcomes the memory overhead of using
2189# the MESSENGER HTTPS service
2190#
2191# MESSENGER_CHILDREN does not apply to MESSENGER HTML and HTTPS when
2192# MESSENGERV2 is enabled
2193#
2194# For more information consult readme.txt before enabling this option
2195MESSENGERV2 = "0"
2196
2197# Set this to the port that will receive the HTTPS HTML message. You should
2198# configure this port to be >1023 and different from the TEXT and HTML port. Do
2199# NOT enable access to this port in TCP_IN. This option requires the perl
2200# module IO::Socket::SSL at a version level that supports SNI (1.83+).
2201# Additionally the version of openssl on the server must also support SNI
2202#
2203# The option uses existing SSL certificates on the server for each domain to
2204# maintain a secure connection without browser warnings. It uses SNI to choose
2205# the correct certificate to use for each client connection
2206#
2207# Warning: On some servers the amount of memory used by the HTTPS MESSENGER
2208# service can become significant depending on various factors associated with
2209# the use of IO::Socket::SSL including the number of domains and certificates
2210# served
2211MESSENGER_HTTPS = "8887"
2212
2213# This comma separated list are the HTTPS HTML ports that will be redirected
2214# for the blocked IP address. If you are using per application blocking
2215# (LF_TRIGGER) then only the relevant block port will be redirected to the
2216# messenger port
2217#
2218# Recommended setting "443" plus any end-user control panel SSL ports. So, for
2219# cPanel: "443,2083,2096"
2220MESSENGER_HTTPS_IN = ""
2221
2222# This option points to the file(s) containing the Apache VirtualHost SSL
2223# definitions. This can be a file glob if there are multiple files to search.
2224# Only Apache v2 SSL VirtualHost definitions are supported
2225MESSENGER_HTTPS_CONF = "/usr/local/apache/conf/httpd.conf"
2226
2227# This options ignores ServerAlias definitions that begin with "mail.". This
2228# can help reduce memory usage on systems that do not require the use of
2229# MESSENGER_HTTPS on those subdomains
2230#
2231# Set to 0 to include these ServerAlias definitions
2232MESSENGER_HTTPS_SKIPMAIL = "1"
2233
2234# The following options can be specified to provide a default fallback
2235# certificate to be used if either SNI is not supported or a hosted domain does
2236# not have an SSL certificate. If a fallback is not provided, one of the certs
2237# obtained from MESSENGER_HTTPS_CONF will be used
2238MESSENGER_HTTPS_KEY = "/var/cpanel/ssl/cpanel/mycpanel.pem"
2239MESSENGER_HTTPS_CRT = "/var/cpanel/ssl/cpanel/mycpanel.pem"
2240
2241# Set this to the port that will receive the HTML message. You should configure
2242# this port to be >1023 and different from the TEXT port. Do NOT enable access
2243# to this port in TCP_IN
2244MESSENGER_HTML = "8888"
2245
2246# This comma separated list are the HTML ports that will be redirected for the
2247# blocked IP address. If you are using per application blocking (LF_TRIGGER)
2248# then only the relevant block port will be redirected to the messenger port
2249MESSENGER_HTML_IN = "80,2082,2095"
2250
2251# Set this to the port that will receive the TEXT message. You should configure
2252# this port to be >1023 and different from the HTML port. Do NOT enable access
2253# to this port in TCP_IN
2254MESSENGER_TEXT = "8889"
2255
2256# This comma separated list are the TEXT ports that will be redirected for the
2257# blocked IP address. If you are using per application blocking (LF_TRIGGER)
2258# then only the relevant block port will be redirected to the messenger port
2259MESSENGER_TEXT_IN = "21"
2260
2261# These settings limit the rate at which connections can be made to the
2262# messenger service servers. Its intention is to provide protection from
2263# attacks or excessive connections to the servers. If the rate is exceeded then
2264# iptables will revert for the duration to the normal blocking activity
2265#
2266# See the iptables man page for the correct --limit rate syntax
2267MESSENGER_RATE = "100/s"
2268MESSENGER_BURST = "150"
2269
2270# The RECAPTCHA options provide a way for end-users that have blocked
2271# themselves in the firewall to unblock themselves.
2272#
2273# A valid Google ReCAPTCHA (v2) key set is required for this feature from:
2274# https://www.google.com/recaptcha/intro/index.html
2275#
2276# When configuring a new reCAPTCHA API key set you must ensure that the option
2277# for "Domain Name Validation" is unticked so that the same reCAPTCHA can be
2278# used for all domains hosted on the server. lfd then checks that the hostname
2279# of the request resolves to an IP on this server
2280#
2281# This feature requires the installation of the LWP::UserAgent perl module (see
2282# option URLGET for more details)
2283#
2284# The template used for this feature is /etc/csf/messenger/index.recaptcha.html
2285#
2286# Note: An unblock will fail if the end-users IP is located in a netblock,
2287# blocklist or CC_* deny entry
2288RECAPTCHA_SITEKEY = ""
2289RECAPTCHA_SECRET = ""
2290
2291# Send an email when an IP address successfully attempts to unblock themselves.
2292# This does not necessarily mean the IP was unblocked, only that the
2293# post-recaptcha unblock request was attempted
2294#
2295# Set to "0" to disable
2296RECAPTCHA_ALERT = "1"
2297
2298# If the server uses NAT then resolving the hostname to hosted IPs will likely
2299# not succeed. In that case, the external IP addresses must be listed as comma
2300# separated comma separated list here
2301RECAPTCHA_NAT = ""
2302
2303###############################################################################
2304# SECTION:lfd Clustering
2305###############################################################################
2306# lfd Clustering. This allows the configuration of an lfd cluster environment
2307# where a group of servers can share blocks and configuration option changes.
2308# Included are CLI and UI options to send requests to the cluster.
2309#
2310# See the readme.txt file for more information and details on setup and
2311# security risks.
2312#
2313# Comma separated list of cluster member IP addresses to send requests to
2314CLUSTER_SENDTO = ""
2315
2316# Comma separated list of cluster member IP addresses to receive requests from
2317CLUSTER_RECVFROM = ""
2318
2319# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG
2320# changes
2321CLUSTER_MASTER = ""
2322
2323# If this is a NAT server, set this to the public IP address of this server
2324CLUSTER_NAT = ""
2325
2326# If a cluster member should send requests on an IP other than the default IP,
2327# set it here
2328CLUSTER_LOCALADDR = ""
2329
2330# Cluster communication port (must be the same on all member servers). There
2331# is no need to open this port in the firewall as csf will automatically add
2332# in and out bound rules to allow communication between cluster members
2333CLUSTER_PORT = "7777"
2334
2335# This is a secret key used to encrypt cluster communications using the
2336# Blowfish algorithm. It should be between 8 and 56 characters long,
2337# preferably > 20 random characters
2338# 56 chars: 01234567890123456789012345678901234567890123456789012345
2339CLUSTER_KEY = ""
2340
2341# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those
2342# servers must have this servers IP address listed in their CLUSTER_RECVFROM
2343#
2344# Set to 0 to disable this feature
2345CLUSTER_BLOCK = "1"
2346
2347# This option allows the enabling and disabling of the Cluster configuration
2348# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the
2349# CLUSTER_MASTER server
2350#
2351# Set this option to 1 to allow Cluster configurations to be received
2352CLUSTER_CONFIG = "0"
2353
2354# Maximum number of child processes to listen on. High blocking rates or large
2355# clusters may need to increase this
2356CLUSTER_CHILDREN = "10"
2357
2358###############################################################################
2359# SECTION:Port Knocking
2360###############################################################################
2361# Port Knocking. This feature allows port knocking to be enabled on multiple
2362# ports with a variable number of knocked ports and a timeout. There must be a
2363# minimum of 3 ports to knock for an entry to be valid
2364#
2365# See the following for information regarding Port Knocking:
2366# http://www.portknocking.org/
2367#
2368# This feature does not work on servers that do not have the iptables module
2369# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
2370# server admins should check with their VPS host provider that the iptables
2371# module is included
2372#
2373# For further information and syntax refer to the Port Knocking section of the
2374# csf readme.txt
2375#
2376# Note: Run /etc/csf/csftest.pl to check whether this option will function on
2377# this server
2378#
2379# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...
2380# e.g.: 22;TCP;20;100;200;300;400
2381PORTKNOCKING = ""
2382
2383# Enable PORTKNOCKING logging by iptables
2384PORTKNOCKING_LOG = "1"
2385
2386# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
2387# also be enabled to use this option
2388#
2389# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
2390# this file about RESTRICT_SYSLOG before enabling this option:
2391PORTKNOCKING_ALERT = "0"
2392
2393###############################################################################
2394# SECTION:Log Scanner
2395###############################################################################
2396# Log Scanner. This feature will send out an email summary of the log lines of
2397# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
2398# they match a regular expression in /etc/csf/csf.logignore
2399#
2400# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
2401# be aware that the more files lfd has to track, the greater the performance
2402# hit. Note: File globs are only evaluated when lfd is started
2403#
2404# Note: lfd builds the report continuously from lines logged after lfd has
2405# started, so any lines logged when lfd is not running will not be reported
2406# (e.g. during reboot). If lfd is restarted, then the report will include any
2407# lines logged during the previous lfd logging period that weren't reported
2408#
2409# 1 to enable, 0 to disable
2410LOGSCANNER = "0"
2411
2412# This is the interval each report will be sent based on the logalert.txt
2413# template
2414#
2415# The interval can be set to:
2416# "hourly" - sent on the hour
2417# "daily" - sent at midnight (00:00)
2418# "manual" - sent whenever "csf --logrun" is run. This allows for scheduling
2419# via cron job
2420LOGSCANNER_INTERVAL = "hourly"
2421
2422# Report Style
2423# 1 = Separate chronological log lines per log file
2424# 2 = Simply chronological log of all lines
2425LOGSCANNER_STYLE = "1"
2426
2427# Send the report email even if no log lines reported
2428# 1 to enable, 0 to disable
2429LOGSCANNER_EMPTY = "1"
2430
2431# Maximum number of lines in the report before it is truncated. This is to
2432# prevent log lines flooding resulting in an excessively large report. This
2433# might need to be increased if you choose a daily report
2434LOGSCANNER_LINES = "5000"
2435
2436###############################################################################
2437# SECTION:Statistics Settings
2438###############################################################################
2439# Statistics
2440#
2441# Some of the Statistics output requires the gd graphics library and the
2442# GD::Graph perl module with all dependent modules to be installed for the UI
2443# for them to be displayed
2444#
2445# This option enabled statistical data gathering
2446ST_ENABLE = "1"
2447
2448# This option determines how many iptables log lines to store for reports
2449ST_IPTABLES = "100"
2450
2451# This option indicates whether rDNS and CC lookups are performed at the time
2452# the log line is recorded (this is not performed when viewing the reports)
2453#
2454# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
2455# then enabling this setting could cause serious performance problems
2456ST_LOOKUP = "0"
2457
2458# This option will gather basic system statstics. Through the UI it displays
2459# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
2460# . Hourly (per minute)
2461# . 24 hours (per minute)
2462# . 7 days (per minute averaged over an hour)
2463# . 30 days (per minute averaged over an hour) - user definable
2464# The data is stored in /var/lib/csf/stats/system and the option requires the
2465# perl GD::Graph module
2466#
2467# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
2468# those systems do not store the required information in /proc/diskstats
2469# On new installations or when enabling this option it will take time for these
2470# graphs to be populated
2471ST_SYSTEM = "1"
2472
2473# Set the maximum days to collect statistics for. The default is 30 days, the
2474# more data that is collected the longer it will take for each of the graphs to
2475# be generated
2476ST_SYSTEM_MAXDAYS = "30"
2477
2478# If ST_SYSTEM is enabled, then these options can collect MySQL statistical
2479# data. To use this option the server must have the perl modules DBI and
2480# DBD::mysql installed.
2481#
2482# Set this option to "0" to disable MySQL data collection
2483ST_MYSQL = "0"
2484
2485# The following options are for authentication for MySQL data collection. If
2486# the password is left blank and the user set to "root" then the procedure will
2487# look for authentication data in /root/.my.cnf. Otherwise, you will need to
2488# provide a MySQL username and password to collect the data. Any MySQL user
2489# account can be used
2490ST_MYSQL_USER = "root"
2491ST_MYSQL_PASS = ""
2492ST_MYSQL_HOST = "localhost"
2493
2494# If ST_SYSTEM is enabled, then this option can collect Apache statistical data
2495# The value for PT_APACHESTATUS must be correctly set
2496ST_APACHE = "0"
2497
2498# The following options measure disk write performance using dd (location set
2499# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and
2500# the statistics will plot the MB/s response time of the disk. As this is an IO
2501# intensive operation, it may not be prudent to run this test too often, so by
2502# default it is only run every 5 minutes and the result duplicated for each
2503# intervening minute for the statistics
2504#
2505# This is not necessrily a good measure of disk performance, primarily because
2506# the measurements are for relatively small amounts of data over a small amount
2507# of time. To properly test disk performance there are a variety of tools
2508# available that should be run for extended periods of time to obtain an
2509# accurate measurement. This metric is provided to give an idea of how the disk
2510# is performing over time
2511#
2512# Note: There is a 15 second timeout performing the check
2513#
2514# Set to 0 to disable, 1 to enable
2515ST_DISKW = "0"
2516
2517# The number of minutes that elapse between tests. Default is 5, minimum is 1.
2518ST_DISKW_FREQ = "5"
2519
2520# This is the command line passed to dd. If you are familiar with dd, or wish
2521# to move the output file (of) to a different disk, then you can alter this
2522# command. Take great care when making any changes to this command as it is
2523# very easy to overwrite a disk using dd if you make a mistake
2524ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync"
2525
2526###############################################################################
2527# SECTION:Docker Settings
2528###############################################################################
2529# NOTE: This feature is currently in BETA testing, so may not work correctly
2530#
2531# This section provides the configuration of iptables rules to allow Docker
2532# containers to communicate through the host. If the generated rules do not
2533# work with your setup you will have to use a /etc/csf/csfpost.sh file and add
2534# your own iptables configuration instead
2535#
2536# 1 to enable, 0 to disable
2537DOCKER = "0"
2538
2539# The network device on the host
2540DOCKER_DEVICE = "docker0"
2541
2542# Docker container IPv4 range
2543DOCKER_NETWORK4 = "172.17.0.0/16"
2544
2545# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table
2546# available (see IPv6 section). Leave blank to disable
2547DOCKER_NETWORK6 = "2001:db8:1::/64"
2548
2549###############################################################################
2550# SECTION:OS Specific Settings
2551###############################################################################
2552# Binary locations
2553IPTABLES = "/sbin/iptables"
2554IPTABLES_SAVE = "/sbin/iptables-save"
2555IPTABLES_RESTORE = "/sbin/iptables-restore"
2556IP6TABLES = "/sbin/ip6tables"
2557IP6TABLES_SAVE = "/sbin/ip6tables-save"
2558IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
2559MODPROBE = "/sbin/modprobe"
2560IFCONFIG = "/sbin/ifconfig"
2561SENDMAIL = "/usr/sbin/sendmail"
2562PS = "/bin/ps"
2563VMSTAT = "/usr/bin/vmstat"
2564NETSTAT = "/bin/netstat"
2565LS = "/bin/ls"
2566MD5SUM = "/usr/bin/md5sum"
2567TAR = "/bin/tar"
2568CHATTR = "/usr/bin/chattr"
2569UNZIP = "/usr/bin/unzip"
2570GUNZIP = "/bin/gunzip"
2571DD = "/bin/dd"
2572TAIL = "/usr/bin/tail"
2573GREP = "/bin/grep"
2574ZGREP = "/usr/bin/zgrep"
2575IPSET = "/usr/sbin/ipset"
2576SYSTEMCTL = "/usr/bin/systemctl"
2577HOST = "/usr/bin/host"
2578IP = "/sbin/ip"
2579
2580# Log file locations
2581#
2582# File globbing is allowed for the following logs. However, be aware that the
2583# more files lfd has to track, the greater the performance hit
2584#
2585# Note: File globs are only evaluated when lfd is started
2586#
2587HTACCESS_LOG = "/usr/local/apache/logs/error_log"
2588MODSEC_LOG = "/usr/local/apache/logs/error_log"
2589SSHD_LOG = "/var/log/secure"
2590SU_LOG = "/var/log/secure"
2591FTPD_LOG = "/var/log/messages"
2592SMTPAUTH_LOG = "/var/log/exim_mainlog"
2593SMTPRELAY_LOG = "/var/log/exim_mainlog"
2594POP3D_LOG = "/var/log/maillog"
2595IMAPD_LOG = "/var/log/maillog"
2596CPANEL_LOG = "/usr/local/cpanel/logs/login_log"
2597CPANEL_ACCESSLOG = "/usr/local/cpanel/logs/access_log"
2598SCRIPT_LOG = "/var/log/exim_mainlog"
2599IPTABLES_LOG = "/var/log/messages"
2600SUHOSIN_LOG = "/var/log/messages"
2601BIND_LOG = "/var/log/messages"
2602SYSLOG_LOG = "/var/log/messages"
2603WEBMIN_LOG = "/var/log/secure"
2604
2605CUSTOM1_LOG = "/var/log/customlog"
2606CUSTOM2_LOG = "/var/log/customlog"
2607CUSTOM3_LOG = "/var/log/customlog"
2608CUSTOM4_LOG = "/var/log/customlog"
2609CUSTOM5_LOG = "/var/log/customlog"
2610CUSTOM6_LOG = "/var/log/customlog"
2611CUSTOM7_LOG = "/var/log/customlog"
2612CUSTOM8_LOG = "/var/log/customlog"
2613CUSTOM9_LOG = "/var/log/customlog"
2614
2615# The following are comma separated lists used if LF_SELECT is enabled,
2616# otherwise they are not used. They are derived from the application returned
2617# from a regex match in /usr/local/csf/bin/regex.pm
2618#
2619# All ports default to tcp blocks. To specify udp or tcp use the format:
2620# port;protocol,port;protocol,... For example, "53;udp,53;tcp"
2621PORTS_pop3d = "110,995"
2622PORTS_imapd = "143,993"
2623PORTS_htpasswd = "80,443"
2624PORTS_mod_security = "80,443"
2625PORTS_mod_qos = "80,443"
2626PORTS_symlink = "80,443"
2627PORTS_suhosin = "80,443"
2628PORTS_cxs = "80,443"
2629PORTS_bind = "53;udp,53;tcp"
2630PORTS_ftpd = "20,21"
2631PORTS_webmin = "10000"
2632PORTS_cpanel = "2077,2078,2082,2083,2086,2087,2095,2096"
2633# This list is extended, if present, by the ports defined by
2634# /etc/chkservd/exim-*
2635PORTS_smtpauth = "25,465,587"
2636PORTS_eximsyntax = "25,465,587"
2637# This list is replaced, if present, by "Port" definitions in
2638# /etc/ssh/sshd_config
2639PORTS_sshd = "22"
2640
2641# For internal use only. You should not enable this option as it could cause
2642# instability in csf and lfd
2643DEBUG = "0"
2644###############################################################################