sT4qQmLx

1###############################################################################
2# SECTION:Initial Settings
3###############################################################################
4# Testing flag - enables a CRON job that clears iptables incase of
5# configuration problems when you start csf. This should be enabled until you
6# are sure that the firewall works - i.e. incase you get locked out of your
7# server! Then do remember to set it to 0 and restart csf when you're sure
8# everything is OK. Stopping csf will remove the line from /etc/crontab
9#
10# lfd will not start while this is enabled
11TESTING = "0"
12
13# The interval for the crontab in minutes. Since this uses the system clock the
14# CRON job will run at the interval past the hour and not from when you issue
15# the start command. Therefore an interval of 5 minutes means the firewall
16# will be cleared in 0-5 minutes from the firewall start
17TESTING_INTERVAL = "5"
18
19# SECURITY WARNING
20# ================
21#
22# Unfortunately, syslog and rsyslog allow end-users to log messages to some
23# system logs via the same unix socket that other local services use. This 
24# means that any log line shown in these system logs that syslog or rsyslog
25# maintain can be spoofed (they are exactly the same as real log lines).
26#
27# Since some of the features of lfd rely on such log lines, spoofed messages
28# can cause false-positive matches which can lead to confusion at best, or
29# blocking of any innocent IP address or making the server inaccessible at
30# worst.
31#
32# Any option that relies on the log entries in the files listed in
33# /etc/syslog.conf and /etc/rsyslog.conf should therefore be considered
34# vulnerable to exploitation by end-users and scripts run by end-users.
35#
36# NOTE: Not all log files are affected as they may not use syslog/rsyslog
37#
38# The option RESTRICT_SYSLOG disables all these features that rely on affected
39# logs. These options are:
40# LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT
41# LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP
42# LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT
43# PORTKNOCKING_ALERT
44#
45# This list of options use the logs but are not disabled by RESTRICT_SYSLOG:
46# ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
47#
48# The following options are still enabled by default on new installations so
49# that, on balance, csf/lfd still provides expected levels of security:
50# LF_SSHD LF_FTPD LF_POP3D LF_IMAPD LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT
51#
52# If you set RESTRICT_SYSLOG to "0" or "2" and enable any of the options listed
53# above, it should be done with the knowledge that any of the those options
54# that are enabled could be triggered by spoofed log lines and lead to the
55# server being inaccessible in the worst case. If you do not want to take that
56# risk you should set RESTRICT_SYSLOG to "1" and those features will not work
57# but you will not be protected from the exploits that they normally help block
58#
59# The recommended setting for RESTRICT_SYSLOG is "3" to restrict who can access
60# the syslog/rsyslog unix socket.
61#
62# For further advice on how to help mitigate these issues, see
63# /etc/csf/readme.txt
64#
65# 0 = Allow those options listed above to be used and configured
66# 1 = Disable all the options listed above and prevent them from being used
67# 2 = Disable only alerts about this feature and do nothing else
68# 3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
69RESTRICT_SYSLOG = "2"
70
71# The following setting is used if RESTRICT_SYSLOG is set to 3. It restricts
72# write access to the syslog/rsyslog unix socket(s). The group must not already
73# exists in /etc/group before setting RESTRICT_SYSLOG to 3, so set the option
74# to a unique name for the server
75#
76# You can add users to this group by changing /etc/csf/csf.syslogusers and then
77# restarting lfd afterwards. This will create the system group and add the
78# users from csf.syslogusers if they exist to that group and will change the
79# permissions on the syslog/rsyslog unix socket(s). The socket(s) will be
80# monitored and the permissions re-applied should syslog/rsyslog be restarted
81#
82# Using this option will prevent some legitimate logging, e.g. end-user cron
83# job logs
84#
85# If you want to revert RESTRICT_SYSLOG to another option and disable this
86# feature, change the setting of RESTRICT_SYSLOG and then restart lfd and then
87# syslog/rsyslog and the unix sockets will be reset
88RESTRICT_SYSLOG_GROUP = "mysyslog"
89
90# This options restricts the ability to modify settings within this file from
91# the csf UI. Should the parent control panel be compromised, these restricted
92# options could be used to further compromise the server. For this reason we
93# recommend leaving this option set to at least "1" and if any of the
94# restricted items need to be changed, they are done so from the root shell
95#
96# 0 = Unrestricted UI
97# 1 = Restricted UI
98# 2 = Disabled UI
99RESTRICT_UI = "1"
100
101# Enabling auto updates creates a cron job called /etc/cron.d/csf_update which
102# runs once per day to see if there is an update to csf+lfd and upgrades if
103# available and restarts csf and lfd
104#
105# You should check for new version announcements at http://blog.configserver.com
106AUTO_UPDATES = "1"
107
108###############################################################################
109# SECTION:IPv4 Port Settings
110###############################################################################
111# Lists of ports in the following comma separated lists can be added using a
112# colon (e.g. 30000:35000).
113
114# Some kernel/iptables setups do not perform stateful connection tracking
115# correctly (typically some virtual servers or custom compiled kernels), so a
116# SPI firewall will not function correctly. If this happens, LF_SPI can be set
117# to 0 to reconfigure csf as a static firewall.
118#
119# As connection tracking will not be configured, applications that rely on it
120# will not function unless all outgoing ports are opened. Therefore, all
121# outgoing connections will be allowed once all other tests have completed. So
122# TCP_OUT, UDP_OUT and ICMP_OUT will not have any affect.
123#
124# If you allow incoming DNS lookups you may need to use the following
125# directive in the options{} section of your named.conf:
126#
127#        query-source port 53;
128#
129# This will force incoming DNS traffic only through port 53
130#
131# Disabling this option will break firewall functionality that relies on
132# stateful packet inspection (e.g. DNAT, PACKET_FILTER) and makes the firewall
133# less secure
134#
135# This option should be set to "1" in all other circumstances
136LF_SPI = "1"
137
138# Allow incoming TCP ports
139TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2079,2080,2082,2083,2086,2087,2095,2096,2002,2003,2004,2005,8080,14567"
140
141# Allow outgoing TCP ports
142TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,2002,2003,2004,2005,8080"
143
144# Allow incoming UDP ports
145UDP_IN = "20,21,53"
146
147# Allow outgoing UDP ports
148# To allow outgoing traceroute add 33434:33523 to this list 
149UDP_OUT = "20,21,53,113,123,873,6277,24441"
150
151# Allow incoming PING. Disabling PING will likely break external uptime
152# monitoring
153ICMP_IN = "1"
154
155# Set the per IP address incoming ICMP packet rate for PING requests. This
156# ratelimits PING requests which if exceeded results in silently rejected
157# packets. Disable or increase this value if you are seeing PING drops that you
158# do not want
159#
160# To disable rate limiting set to "0", otherwise set according to the iptables
161# documentation for the limit module. For example, "1/s" will limit to one
162# packet per second
163ICMP_IN_RATE = "1/s"
164
165# Allow outgoing PING
166#
167# Unless there is a specific reason, this option should NOT be disabled as it
168# could break OS functionality
169ICMP_OUT = "1"
170
171# Set the per IP address outgoing ICMP packet rate for PING requests. This
172# ratelimits PING requests which if exceeded results in silently rejected
173# packets. Disable or increase this value if you are seeing PING drops that you
174# do not want
175#
176# Unless there is a specific reason, this option should NOT be enabled as it
177# could break OS functionality
178#
179# To disable rate limiting set to "0", otherwise set according to the iptables
180# documentation for the limit module. For example, "1/s" will limit to one
181# packet per second
182ICMP_OUT_RATE = "0"
183
184# For those with PCI Compliance tools that state that ICMP timestamps (type 13)
185# should be dropped, you can enable the following option. Otherwise, there
186# appears to be little evidence that it has anything to do with a security risk
187# and can impact network performance, so should be left disabled by everyone
188# else
189ICMP_TIMESTAMPDROP = "0"
190
191###############################################################################
192# SECTION:IPv6 Port Settings
193###############################################################################
194# IPv6: (Requires ip6tables)
195#
196# Pre v2.6.20 kernels do not perform stateful connection tracking, so a static
197# firewall is configured as a fallback instead if IPV6_SPI is set to 0 below
198#
199# Supported:
200# Temporary ACCEPT/DENY, GLOBAL_DENY, GLOBAL_ALLOW, SMTP_BLOCK, LF_PERMBLOCK,
201# PACKET_FILTER, Advanced Allow/Deny Filters, RELAY_*, CLUSTER_*, CC6_LOOKUPS, 
202# SYNFLOOD, LF_NETBLOCK
203#
204# Supported if CC6_LOOKUPS and CC_LOOKUPS are enabled
205# CC_DENY, CC_ALLOW, CC_ALLOW_FILTER, CC_IGNORE, CC_ALLOW_PORTS, CC_DENY_PORTS,
206# CC_ALLOW_SMTPAUTH
207#
208# Supported if ip6tables >= 1.4.3:
209# PORTFLOOD, CONNLIMIT
210#
211# Supported if ip6tables >= 1.4.17 and perl module IO::Socket::INET6 is
212# installed:
213# MESSENGER DOCKER SMTP_REDIRECT
214#
215# Not supported:
216# ICMP_IN, ICMP_OUT
217#
218IPV6 = "1"
219
220# IPv6 uses icmpv6 packets very heavily. By default, csf will allow all icmpv6
221# traffic in the INPUT and OUTPUT chains. However, this could increase the risk
222# of icmpv6 attacks. To restrict incoming icmpv6, set to "1" but may break some
223# connection types
224IPV6_ICMP_STRICT = "0"
225
226# Pre v2.6.20 kernel must set this option to "0" as no working state module is
227# present, so a static firewall is configured as a fallback
228#
229# A workaround has been added for CentOS/RedHat v5 and custom kernels that do
230# not support IPv6 connection tracking by opening ephemeral port range
231# 32768:61000. This is only applied if IPV6_SPI is not enabled. This is the
232# same workaround implemented by RedHat in the sample default IPv6 rules
233#
234# As connection tracking will not be configured, applications that rely on it
235# will not function unless all outgoing ports are opened. Therefore, all
236# outgoing connections will be allowed once all other tests have completed. So
237# TCP6_OUT, UDP6_OUT and ICMP6_OUT will not have any affect.
238#
239# If you allow incoming ipv6 DNS lookups you may need to use the following
240# directive in the options{} section of your named.conf:
241#
242#        query-source-v6 port 53;
243#
244# This will force ipv6 incoming DNS traffic only through port 53
245#
246# These changes are not necessary if the SPI firewall is used
247IPV6_SPI = "1"
248
249# Allow incoming IPv6 TCP ports
250TCP6_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,2002,2003,2004,2005,8080,14567"
251
252# Allow outgoing IPv6 TCP ports
253TCP6_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873,993,995,2086,2087,2089,2703,2002,2003,2004,2005,8080"
254
255# Allow incoming IPv6 UDP ports
256UDP6_IN = "20,21,53"
257
258# Allow outgoing IPv6 UDP ports
259# To allow outgoing traceroute add 33434:33523 to this list 
260UDP6_OUT = "20,21,53,113,123,873,6277,24441"
261
262###############################################################################
263# SECTION:General Settings
264###############################################################################
265# By default, csf will auto-configure iptables to filter all traffic except on
266# the loopback device. If you only want iptables rules applied to a specific
267# NIC, then list it here (e.g. eth1, or eth+)
268ETH_DEVICE = ""
269
270# By adding a device to this option, ip6tables can be configured only on the
271# specified device. Otherwise, ETH_DEVICE and then the default setting will be
272# used
273ETH6_DEVICE = ""
274
275# If you don't want iptables rules applied to specific NICs, then list them in
276# a comma separated list (e.g "eth1,eth2")
277ETH_DEVICE_SKIP = ""
278
279# This option should be enabled unless the kernel does not support the
280# "conntrack" module
281#
282# To use the deprecated iptables "state" module, change this to 0
283USE_CONNTRACK = "1"
284
285# Enable ftp helper via the iptables CT target on supporting kernels (v2.6.34+)
286# instead of the current method via /proc/sys/net/netfilter/nf_conntrack_helper
287# This will also remove the RELATED target from the global state iptables rule
288#
289# This is not needed (and will be ignored) if LF_SPI/IPV6_SPI is disabled or
290# the raw tables do not exist. The USE_CONNTRACK option should be enabled
291#
292# To enable this option, set it to your FTP server listening port number
293# (normally 21), do NOT set it to "1"
294USE_FTPHELPER = "0"
295
296# Check whether syslog is running. Many of the lfd checks require syslog to be
297# running correctly. This test will send a coded message to syslog every
298# SYSLOG_CHECK seconds. lfd will check SYSLOG_LOG log lines for the coded
299# message. If it fails to do so within SYSLOG_CHECK seconds an alert using
300# syslogalert.txt is sent
301#
302# A value of between 300 and 3600 seconds is suggested. Set to 0 to disable
303SYSLOG_CHECK = "0"
304
305# Enable this option if you want lfd to ignore (i.e. don't block) IP addresses
306# listed in csf.allow in addition to csf.ignore (the default). This option
307# should be used with caution as it would mean that IP's allowed through the
308# firewall from infected PC's could launch attacks on the server that lfd
309# would ignore
310IGNORE_ALLOW = "0"
311
312# Enable the following option if you want to apply strict iptables rules to DNS
313# traffic (i.e. relying on iptables connection tracking). Enabling this option
314# could cause DNS resolution issues both to and from the server but could help
315# prevent abuse of the local DNS server
316DNS_STRICT = "0"
317
318# Enable the following option if you want to apply strict iptables rules to DNS
319# traffic between the server and the nameservers listed in /etc/resolv.conf
320# Enabling this option could cause DNS resolution issues both to and from the
321# server but could help prevent abuse of the local DNS server
322DNS_STRICT_NS = "0"
323
324# Limit the number of IP's kept in the /etc/csf/csf.deny file
325#
326# Care should be taken when increasing this value on servers with low memory
327# resources or hard limits (such as Virtuozzo/OpenVZ) as too many rules (in the
328# thousands) can sometimes cause network slowdown
329#
330# The value set here is the maximum number of IPs/CIDRs allowed
331# if the limit is reached, the entries will be rotated so that the oldest
332# entries (i.e. the ones at the top) will be removed and the latest is added.
333# The limit is only checked when using csf -d (which is what lfd also uses)
334# Set to 0 to disable limiting
335#
336# For implementations wishing to set this value significantly higher, we
337# recommend using the IPSET option
338DENY_IP_LIMIT = "200"
339
340# Limit the number of IP's kept in the temprary IP ban list. If the limit is
341# reached the oldest IP's in the ban list will be removed and allowed
342# regardless of the amount of time remaining for the block
343# Set to 0 to disable limiting
344DENY_TEMP_IP_LIMIT = "100"
345
346# Enable login failure detection daemon (lfd). If set to 0 none of the
347# following settings will have any effect as the daemon won't start.
348LF_DAEMON = "1"
349
350# Check whether csf appears to have been stopped and restart if necessary,
351# unless TESTING is enabled above. The check is done every 300 seconds
352LF_CSF = "1"
353
354# This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE,
355# IP6TABLES_RESTORE in two ways:
356#
357# 1. On a clean server reboot the entire csf iptables configuration is saved
358#    and then restored where possible to provide a near instant firewall
359#    startup[*]
360#
361# 2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD,
362#    BOGON, TOR are loaded using this method in a fraction of the time than if
363#    this setting is disabled
364#
365# [*]Not supported on all OS platforms
366#
367# Set to "0" to disable this functionality
368FASTSTART = "1"
369
370# This option allows you to use ipset v6+ for the following csf options:
371# CC_* and /etc/csf/csf.blocklist, /etc/csf/csf.allow, /etc/csf/csf.deny,
372# GLOBAL_DENY, GLOBAL_ALLOW, DYNDNS, GLOBAL_DYNDNS, MESSENGER
373#
374# ipset will only be used with the above options when listing IPs and CIDRs.
375# Advanced Allow Filters and temporary blocks use traditional iptables
376#
377# Using ipset moves the onus of ip matching against large lists away from
378# iptables rules and to a purpose built and optimised database matching
379# utility. It also simplifies the switching in of updated lists
380#
381# To use this option you must have a fully functioning installation of ipset
382# installed either via rpm or source from http://ipset.netfilter.org/
383# 
384# Note: Using ipset has many advantages, some disadvantages are that you will
385# no longer see packet and byte counts against IPs and it makes identifying
386# blocked/allowed IPs that little bit harder
387#
388# Note: If you mainly use IP address only entries in csf.deny, you can increase
389# the value of DENY_IP_LIMIT significantly if you wish
390# 
391# Note: It's highly unlikely that ipset will function on Virtuozzo/OpenVZ
392# containers even if it has been installed
393#
394# If you find any problems, please post on forums.configserver.com with full
395# details of the issue
396LF_IPSET = "0"
397
398# Versions of iptables greater or equal to v1.4.20 should support the --wait
399# option. This forces iptables commands that use the option to wait until a
400# lock by any other process using iptables completes, rather than simply
401# failing
402#
403# Enabling this feature will add the --wait option to iptables commands
404#
405# NOTE: The disadvantage of using this option is that any iptables command that
406# uses it will hang until the lock is released. This could cause a cascade of
407# hung processes trying to issue iptables commands. To try and avoid this issue
408# csf uses a last ditch timeout, WAITLOCK_TIMEOUT in seconds, that will trigger
409# a failure if reached
410WAITLOCK = "0"
411WAITLOCK_TIMEOUT = "300"
412
413# The following sets the hashsize for ipset sets, which must be a power of 2.
414#
415# Note: Increasing this value will consume more memory for all sets
416# Default: "1024"
417LF_IPSET_HASHSIZE = "1024"
418
419# The following sets the maxelem for ipset sets.
420#
421# Note: Increasing this value will consume more memory for all sets
422# Default: "65536"
423LF_IPSET_MAXELEM = "65536"
424
425# If you enable this option then whenever a CLI request to restart csf is used
426# lfd will restart csf instead within LF_PARSE seconds
427#
428# This feature can be helpful for restarting configurations that cannot use
429# FASTSTART
430LFDSTART = "0"
431
432# Enable verbose output of iptables commands
433VERBOSE = "1"
434
435# Drop out of order packets and packets in an INVALID state in iptables
436# connection tracking
437PACKET_FILTER = "1"
438
439# Perform reverse DNS lookups on IP addresses. (See also CC_LOOKUPS)
440LF_LOOKUPS = "1"
441
442# Custom styling is possible in the csf UI. See the readme.txt for more
443# information under "UI skinning and Mobile View"
444#
445# This option enables the use of custom styling. If the styling fails to work
446# correctly, e.g. custom styling does not take into account a change in the
447# standard csf UI, then disabling this option will return the standard UI
448STYLE_CUSTOM = "0"
449
450# This option disables the presence of the Mobile View in the csf UI
451STYLE_MOBILE = "1"
452
453###############################################################################
454# SECTION:SMTP Settings
455###############################################################################
456# Block outgoing SMTP except for root, exim and mailman (forces scripts/users
457# to use the exim/sendmail binary instead of sockets access). This replaces the
458# protection as WHM > Tweak Settings > SMTP Tweaks
459#
460# This option uses the iptables ipt_owner/xt_owner module and must be loaded
461# for it to work. It may not be available on some VPS platforms
462#
463# Note: Run /etc/csf/csftest.pl to check whether this option will function on
464# this server
465SMTP_BLOCK = "1"
466
467# If SMTP_BLOCK is enabled but you want to allow local connections to port 25
468# on the server (e.g. for webmail or web scripts) then enable this option to
469# allow outgoing SMTP connections to the loopback device
470SMTP_ALLOWLOCAL = "1"
471
472# This option redirects outgoing SMTP connections destined for remote servers
473# for non-bypass users to the local SMTP server to force local relaying of
474# email. Such email may require authentication (SMTP AUTH)
475SMTP_REDIRECT = "0"
476
477# This is a comma separated list of the ports to block. You should list all
478# ports that exim is configured to listen on
479SMTP_PORTS = "25,465,587"
480
481# Always allow the following comma separated users and groups to bypass
482# SMTP_BLOCK
483#
484# Note: root (UID:0) is always allowed
485SMTP_ALLOWUSER = "jim"
486SMTP_ALLOWGROUP = "mail,mailman"
487
488# This option will only allow SMTP AUTH to be advertised to the IP addresses
489# listed in /etc/csf/csf.smtpauth on EXIM mail servers
490#
491# The additional option CC_ALLOW_SMTPAUTH can be used with this option to
492# additionally restrict access to specific countries
493#
494# This is to help limit attempts at distributed attacks against SMTP AUTH which
495# are difficult to achive since port 25 needs to be open to relay email
496#
497# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
498# connection, then SMTP AUTH will not accept logins, defeating the attacks
499# without restricting mail relaying
500#
501# Note: csf and lfd must be restarted if /etc/csf/csf.smtpauth is modified so
502# that the lookup file in /etc/exim.smtpauth is regenerated from the
503# information from /etc/csf/csf.smtpauth plus any countries listed in
504# CC_ALLOW_SMTPAUTH
505#
506# NOTE: To make this option work you MUST make the modifications to exim.conf
507# as explained in "Exim SMTP AUTH Restriction" section in /etc/csf/readme.txt
508# after enabling the option here, otherwise this option will not work
509#
510# To enable this option, set to 1 and make the exim configuration changes
511# To disable this option, set to 0 and undo the exim configuration changes
512SMTPAUTH_RESTRICT = "0"
513
514###############################################################################
515# SECTION:Port Flood Settings
516###############################################################################
517# Enable SYN Flood Protection. This option configures iptables to offer some
518# protection from tcp SYN packet DOS attempts. You should set the RATE so that
519# false-positives are kept to a minimum otherwise visitors may see connection
520# issues (check /var/log/messages for *SYNFLOOD Blocked*). See the iptables
521# man page for the correct --limit rate syntax
522#
523# Note: This option should ONLY be enabled if you know you are under a SYN
524# flood attack as it will slow down all new connections from any IP address to
525# the server if triggered
526SYNFLOOD = "0"
527SYNFLOOD_RATE = "100/s"
528SYNFLOOD_BURST = "150"
529
530# Connection Limit Protection. This option configures iptables to offer more
531# protection from DOS attacks against specific ports. It can also be used as a
532# way to simply limit resource usage by IP address to specific server services.
533# This option limits the number of concurrent new connections per IP address
534# that can be made to specific ports
535#
536# This feature does not work on servers that do not have the iptables module
537# xt_connlimit loaded. Typically, this will be with MONOLITHIC kernels. VPS
538# server admins should check with their VPS host provider that the iptables
539# module is included
540#
541# For further information and syntax refer to the Connection Limit Protection
542# section of the csf readme.txt
543#
544# Note: Run /etc/csf/csftest.pl to check whether this option will function on
545# this server
546CONNLIMIT = ""
547
548# Port Flood Protection. This option configures iptables to offer protection
549# from DOS attacks against specific ports. This option limits the number of
550# new connections per time interval that can be made to specific ports
551#
552# This feature does not work on servers that do not have the iptables module
553# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
554# server admins should check with their VPS host provider that the iptables
555# module is included
556#
557# For further information and syntax refer to the Port Flood Protection
558# section of the csf readme.txt
559#
560# Note: Run /etc/csf/csftest.pl to check whether this option will function on
561# this server
562PORTFLOOD = ""
563
564# Outgoing UDP Flood Protection. This option limits outbound UDP packet floods.
565# These typically originate from exploit scripts uploaded through vulnerable
566# web scripts. Care should be taken on servers that use services that utilise
567# high levels of UDP outbound traffic, such as SNMP, so you may need to alter
568# the UDPFLOOD_LIMIT and UDPFLOOD_BURST options to suit your environment
569#
570# We recommend enabling User ID Tracking (UID_INTERVAL) with this feature
571UDPFLOOD = "0"
572UDPFLOOD_LIMIT = "100/s"
573UDPFLOOD_BURST = "500"
574
575# This is a list of usernames that should not be rate limited, such as "named"
576# to prevent bind traffic from being limited.
577#
578# Note: root (UID:0) is always allowed
579UDPFLOOD_ALLOWUSER = "named"
580
581###############################################################################
582# SECTION:Logging Settings
583###############################################################################
584# Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
585# perl module Sys::Syslog installed to use this feature
586SYSLOG = "0"
587
588# Drop target for incoming iptables rules. This can be set to either DROP or
589# REJECT. REJECT will send back an error packet, DROP will not respond at all.
590# REJECT is more polite, however it does provide extra information to a hacker
591# and lets them know that a firewall is blocking their attempts. DROP hangs
592# their connection, thereby frustrating attempts to port scan the server
593DROP = "DROP"
594
595# Drop target for outgoing iptables rules. This can be set to either DROP or
596# REJECT as with DROP, however as such connections are from this server it is
597# better to REJECT connections to closed ports rather than to DROP them. This
598# helps to immediately free up server resources rather than tying them up until
599# a connection times out. It also tells the process making the connection that
600# it has immediately failed
601#
602# It is possible that some monolithic kernels may not support the REJECT
603# target. If this is the case, csf checks before using REJECT and falls back to
604# using DROP, issuing a warning to set this to DROP instead
605DROP_OUT = "REJECT"
606
607# Enable logging of dropped connections to blocked ports to syslog, usually
608# /var/log/messages. This option needs to be enabled to use Port Scan Tracking
609DROP_LOGGING = "1"
610
611# Enable logging of dropped incoming connections from blocked IP addresses
612#
613# This option will be disabled if you enable Port Scan Tracking (PS_INTERVAL)
614DROP_IP_LOGGING = "0"
615
616# Enable logging of dropped outgoing connections
617#
618# Note: Only outgoing SYN packets for TCP connections are logged, other
619# protocols log all packets
620#
621# We recommend that you enable this option
622DROP_OUT_LOGGING = "0"
623
624# Together with DROP_OUT_LOGGING enabled, this option logs the UID connecting
625# out (where available) which can help track abuse
626DROP_UID_LOGGING = "0"
627
628# Only log incoming reserved port dropped connections (0:1023). This can reduce
629# the amount of log noise from dropped connections, but will affect options
630# such as Port Scan Tracking (PS_INTERVAL)
631DROP_ONLYRES = "0"
632
633# Commonly blocked ports that you do not want logging as they tend to just fill
634# up the log file. These ports are specifically blocked (applied to TCP and UDP
635# protocols) for incoming connections
636DROP_NOLOG = "67,68,111,113,135:139,445,500,513,520"
637
638# Log packets dropped by the packet filtering option PACKET_FILTER
639DROP_PF_LOGGING = "0"
640
641# Log packets dropped by the Connection Limit Protection option CONNLIMIT. If
642# this is enabled and Port Scan Tracking (PS_INTERVAL) is also enabled, IP
643# addresses breaking the Connection Limit Protection will be blocked
644CONNLIMIT_LOGGING = "0"
645
646# Enable logging of UDP floods. This should be enabled, especially with User ID
647# Tracking enabled
648UDPFLOOD_LOGGING = "1"
649
650# Send an alert if log file flooding is detected which causes lfd to skip log
651# lines to prevent lfd from looping. If this alert is sent you should check the
652# reported log file for the reason for the flooding
653LOGFLOOD_ALERT = "0"
654
655###############################################################################
656# SECTION:Reporting Settings
657###############################################################################
658# By default, lfd will send alert emails using the relevant alert template to
659# the To: address configured within that template. Setting the following
660# option will override the configured To: field in all lfd alert emails
661#
662# Leave this option empty to use the To: field setting in each alert template
663LF_ALERT_TO = ""
664
665# By default, lfd will send alert emails using the relevant alert template from
666# the From: address configured within that template. Setting the following
667# option will override the configured From: field in all lfd alert emails
668#
669# Leave this option empty to use the From: field setting in each alert template
670LF_ALERT_FROM = ""
671
672# By default, lfd will send all alerts using the SENDMAIL binary. To send using
673# SMTP directly, you can set the following to a relaying SMTP server, e.g.
674# "127.0.0.1". Leave this setting blank to use SENDMAIL
675LF_ALERT_SMTP = ""
676
677# Block Reporting. lfd can run an external script when it performs and IP
678# address block following for example a login failure. The following setting
679# is to the full path of the external script which must be executable. See
680# readme.txt for format details
681#
682# Leave this setting blank to disable
683BLOCK_REPORT = ""
684
685# To also run an external script when a temporary block is unblocked. The
686# following setting can be the full path of the external script which must be
687# executable. See readme.txt for format details
688#
689# Leave this setting blank to disable
690UNBLOCK_REPORT = ""
691
692# In addition to the standard lfd email alerts, you can additionally enable the
693# sending of X-ARF reports (see http://www.xarf.org/specification.html). Only
694# block alert messages will be sent. The reports use our schema at:
695# https://download.configserver.com/abuse_login-attack_0.2.json
696#
697# These reports are in a format accepted by many Netblock owners and should
698# help them investigate abuse. This option is not designed to automatically
699# forward these reports to the Netblock owners and should be checked for
700# false-positive blocks before reporting
701#
702# If available, the report will also include the abuse contact for the IP from
703# the Abusix Contact DB: https://abusix.com/contactdb.html
704#
705# Note: The following block types are not reported through this feature:
706# LF_PERMBLOCK, LF_NETBLOCK, LF_DISTATTACK, LF_DISTFTP, RT_*_ALERT
707X_ARF = "0"
708
709# By default, lfd will send emails from the root forwarder. Setting the
710# following option will override this
711X_ARF_FROM = ""
712
713# By default, lfd will send emails to the root forwarder. Setting the following
714# option will override this
715X_ARF_TO = ""
716
717# If you want to automatically send reports to the abuse contact where found,
718# you can enable the following option
719#
720# Note: You MUST set X_ARF_FROM to a valid email address for this option to
721# work. This is so that the abuse contact can reply to the report
722#
723# However, you should be aware that without manual checking you could be
724# reporting innocent IP addresses, including your own clients, yourself and
725# your own servers
726#
727# Additionally, just because a contact address is found, does not mean that
728# there is anyone on the end of it reading, processing or acting on such
729# reports and you could conceivably reported for sending spam
730#
731# We do not recommend enabling this option. Abuse reports should be checked and
732# verified before being forwarded to the abuse contact
733X_ARF_ABUSE = "0"
734
735###############################################################################
736# SECTION:Temp to Perm/Netblock Settings
737###############################################################################
738# Temporary to Permanent IP blocking. The following enables this feature to
739# permanently block IP addresses that have been temporarily blocked more than
740# LF_PERMBLOCK_COUNT times in the last LF_PERMBLOCK_INTERVAL seconds. Set
741# LF_PERMBLOCK  to "1" to enable this feature
742#
743# Care needs to be taken when setting LF_PERMBLOCK_INTERVAL as it needs to be
744# at least LF_PERMBLOCK_COUNT multiplied by the longest temporary time setting
745# (TTL) for blocked IPs, to be effective
746#
747# Set LF_PERMBLOCK to "0" to disable this feature
748LF_PERMBLOCK = "1"
749LF_PERMBLOCK_INTERVAL = "86400"
750LF_PERMBLOCK_COUNT = "4"
751LF_PERMBLOCK_ALERT = "1"
752
753# Permanently block IPs by network class. The following enables this feature
754# to permanently block classes of IP address where individual IP addresses
755# within the same class LF_NETBLOCK_CLASS have already been blocked more than
756# LF_NETBLOCK_COUNT times in the last LF_NETBLOCK_INTERVAL seconds. Set
757# LF_NETBLOCK  to "1" to enable this feature
758#
759# This can be an affective way of blocking DDOS attacks launched from within
760# the same network class
761#
762# Valid settings for LF_NETBLOCK_CLASS are "A", "B" and "C", care and
763# consideration is required when blocking network classes A or B
764#
765# Set LF_NETBLOCK to "0" to disable this feature
766LF_NETBLOCK = "0"
767LF_NETBLOCK_INTERVAL = "86400"
768LF_NETBLOCK_COUNT = "4"
769LF_NETBLOCK_CLASS = "C"
770LF_NETBLOCK_ALERT = "1"
771
772# Valid settings for LF_NETBLOCK_IPV6 are "/64", "/56", "/48", "/32" and "/24"
773# Great care should be taken with IPV6 netblock ranges due to the large number
774# of addresses involved
775#
776# To disable IPv6 netblocks set to ""
777LF_NETBLOCK_IPV6 = ""
778
779###############################################################################
780# SECTION:Global Lists/DYNDNS/Blocklists
781###############################################################################
782# Safe Chain Update. If enabled, all dynamic update chains (GALLOW*, GDENY*,
783# SPAMHAUS, DSHIELD, BOGON, CC_ALLOW, CC_DENY, ALLOWDYN*) will create a new
784# chain when updating, and insert it into the relevant LOCALINPUT/LOCALOUTPUT
785# chain, then flush and delete the old dynamic chain and rename the new chain.
786#
787# This prevents a small window of opportunity opening when an update occurs and
788# the dynamic chain is flushed for the new rules.
789#
790# This option should not be enabled on servers with long dynamic chains (e.g.
791# CC_DENY/CC_ALLOW lists) and low memory. It should also not be enabled on
792# Virtuozzo VPS servers with a restricted numiptent value. This is because each
793# chain will effectively be duplicated while the update occurs, doubling the
794# number of iptables rules
795SAFECHAINUPDATE = "0"
796
797# If you wish to allow access from dynamic DNS records (for example if your IP
798# address changes whenever you connect to the internet but you have a dedicated
799# dynamic DNS record from the likes of dyndns.org) then you can list the FQDN
800# records in csf.dyndns and then set the following to the number of seconds to
801# poll for a change in the IP address. If the IP address has changed iptables
802# will be updated.
803#
804# If the FQDN has multiple A records then all of the IP addresses will be
805# processed. If IPV6 is enabled, then all IPv6 AAAA IP address records will
806# also be allowed.
807# 
808# A setting of 600 would check for IP updates every 10 minutes. Set the value
809# to 0 to disable the feature
810DYNDNS = "0"
811
812# To always ignore DYNDNS IP addresses in lfd blocking, set the following
813# option to 1
814DYNDNS_IGNORE = "0"
815
816# The follow Global options allow you to specify a URL where csf can grab a
817# centralised copy of an IP allow or deny block list of your own. You need to
818# specify the full URL in the following options, i.e.:
819# http://www.somelocation.com/allow.txt
820#
821# The actual retrieval of these IP's is controlled by lfd, so you need to set
822# LF_GLOBAL to the interval (in seconds) when you want lfd to retrieve. lfd
823# will perform the retrieval when it runs and then again at the specified
824# interval. A sensible interval would probably be every 3600 seconds (1 hour).
825# A minimum value of 300 is enforced for LF_GLOBAL if enabled
826#
827# You do not have to specify both an allow and a deny file
828#
829# You can also configure a global ignore file for IP's that lfd should ignore
830LF_GLOBAL = "0"
831
832GLOBAL_ALLOW = ""
833GLOBAL_DENY = ""
834GLOBAL_IGNORE = ""
835
836# Provides the same functionality as DYNDNS but with a GLOBAL URL file. Set
837# this to the URL of the file containing DYNDNS entries
838GLOBAL_DYNDNS = ""
839
840# Set the following to the number of seconds to poll for a change in the IP
841# address resoved from GLOBAL_DYNDNS
842GLOBAL_DYNDNS_INTERVAL = "600"
843
844# To always ignore GLOBAL_DYNDNS IP addresses in lfd blocking, set the following
845# option to 1
846GLOBAL_DYNDNS_IGNORE = "0"
847
848# Blocklists are controlled by modifying /etc/csf/csf.blocklists
849#
850# If you don't want BOGON rules applied to specific NICs, then list them in
851# a comma separated list (e.g "eth1,eth2")
852LF_BOGON_SKIP = ""
853
854# The following option can be used to select either HTTP::Tiny or
855# LWP::UserAgent to retrieve URL data. HTTP::Tiny is much faster than
856# LWP::UserAgent and is included in the csf distribution. LWP::UserAgent may
857# have to be installed manually, but it can better support https:// URL's
858# which also needs the LWP::Protocol::https perl module
859#
860# For example:
861#
862# On rpm based systems:
863# 
864#   yum install perl-libwww-perl.noarch perl-LWP-Protocol-https.noarch
865#
866# On APT based systems:
867#
868#   apt-get install libwww-perl liblwp-protocol-https-perl
869#
870# Via cpan:
871#
872#   perl -MCPAN -eshell
873#   cpan> install LWP LWP::Protocol::https
874#
875# We recommend setting this set to "2" as upgrades to csf will be performed
876# over SSL to https://download.configserver.com and
877# https://download2.configserver.com
878#
879# "1" = HTTP::Tiny
880# "2" = LWP::UserAgent
881URLGET = "2"
882
883# If you need csf/lfd to use a proxy, then you can set this option to the URL
884# of the proxy. The proxy provided will be used for both HTTP and HTTPS
885# connections
886URLPROXY = ""
887
888###############################################################################
889# SECTION:Country Code Lists and Settings
890###############################################################################
891# Country Code to CIDR allow/deny. In the following two options you can allow
892# or deny whole country CIDR ranges. The CIDR blocks are generated from the
893# MaxMind GeoLite2 Country database at:
894# https://dev.MaxMind.com/geoip/geoip2/geolite2/
895# This feature relies entirely on that service being available
896#
897# Specify the the two-letter ISO Country Code(s). The iptables rules are for
898# incoming connections only
899#
900# Additionally, ASN numbers can also be added to the comma separated lists
901# below that also list Country Codes. The same WARNINGS for Country Codes apply
902# to the use of ASNs. More about Autonomous System Numbers (ASN):
903# http://www.iana.org/assignments/as-numbers/as-numbers.xhtml
904#
905# You should consider using LF_IPSET when using any of the following options
906#
907# WARNING: These lists are never 100% accurate and some ISP's (e.g. AOL) use
908# non-geographic IP address designations for their clients
909#
910# WARNING: Some of the CIDR lists are huge and each one requires a rule within
911# the incoming iptables chain. This can result in significant performance
912# overheads and could render the server inaccessible in some circumstances. For
913# this reason (amongst others) we do not recommend using these options
914#
915# WARNING: Due to the resource constraints on VPS servers this feature should
916# not be used on such systems unless you choose very small CC zones
917#
918# WARNING: CC_ALLOW allows access through all ports in the firewall. For this
919# reason CC_ALLOW probably has very limited use and CC_ALLOW_FILTER is
920# preferred
921#
922# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
923CC_DENY = ""
924CC_ALLOW = ""
925
926# An alternative to CC_ALLOW is to only allow access from the following
927# countries but still filter based on the port and packets rules. All other
928# connections are dropped
929CC_ALLOW_FILTER = ""
930
931# This option allows access from the following countries to specific ports
932# listed in CC_ALLOW_PORTS_TCP and CC_ALLOW_PORTS_UDP
933#
934# Note: The rules for this feature are inserted after the allow and deny
935# rules to still allow blocking of IP addresses
936#
937# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
938CC_ALLOW_PORTS = ""
939
940# All listed ports should be removed from TCP_IN/UDP_IN to block access from
941# elsewhere. This option uses the same format as TCP_IN/UDP_IN
942#
943# An example would be to list port 21 here and remove it from TCP_IN/UDP_IN
944# then only counties listed in CC_ALLOW_PORTS can access FTP
945CC_ALLOW_PORTS_TCP = ""
946CC_ALLOW_PORTS_UDP = ""
947
948# This option denies access from the following countries to specific ports
949# listed in CC_DENY_PORTS_TCP and CC_DENY_PORTS_UDP
950#
951# Note: The rules for this feature are inserted after the allow and deny
952# rules to still allow allowing of IP addresses
953#
954# Each option is a comma separated list of CC's, e.g. "US,GB,DE"
955CC_DENY_PORTS = ""
956
957# This option uses the same format as TCP_IN/UDP_IN. The ports listed should
958# NOT be removed from TCP_IN/UDP_IN
959#
960# An example would be to list port 21 here then counties listed in
961# CC_DENY_PORTS cannot access FTP
962CC_DENY_PORTS_TCP = ""
963CC_DENY_PORTS_UDP = ""
964
965# This Country Code list will prevent lfd from blocking IP address hits for the
966# listed CC's
967#
968# CC_LOOKUPS must be enabled to use this option
969CC_IGNORE = ""
970
971# This Country Code list will only allow SMTP AUTH to be advertised to the
972# listed countries in EXIM. This is to help limit attempts at distributed
973# attacks against SMTP AUTH which are difficult to achive since port 25 needs
974# to be open to relay email
975#
976# The reason why this works is that if EXIM does not advertise SMTP AUTH on a
977# connection, then SMTP AUTH will not accept logins, defeating the attacks
978# without restricting mail relaying
979#
980# This option can generate a very large list of IP addresses that could easily
981# severely impact on SMTP (mail) performance, so care must be taken when
982# selecting countries and if performance issues ensue
983#
984# The option SMTPAUTH_RESTRICT must be enabled to use this option
985CC_ALLOW_SMTPAUTH = ""
986
987# Set this option to a valid CIDR (i.e. 1 to 32) to ignore CIDR blocks smaller
988# than this value when implementing CC_DENY/CC_ALLOW/CC_ALLOW_FILTER. This can
989# help reduce the number of CC entries and may improve iptables throughput.
990# Obviously, this will deny/allow fewer IP addresses depending on how small you
991# configure the option
992#
993# For example, to ignore all CIDR (and single IP) entries small than a /16, set
994# this option to "16". Set to "" to block all CC IP addresses
995CC_DROP_CIDR = ""
996
997# Display Country Code and Country for reported IP addresses. This option can
998# be configured to use the MaxMind Country Database or the more detailed (and
999# much larger and therefore slower) MaxMind City Database. An additional option
1000# is also available if you cannot use the MaxMind databases
1001#
1002# "0" - disable
1003# "1" - Reports: Country Code and Country
1004# "2" - Reports: Country Code and Country and Region and City
1005# "3" - Reports: Country Code and Country and Region and City and ASN
1006# "4" - Reports: Country Code and Country and Region and City (freegeoip.net)
1007#
1008# Note: "4" does not use the MaxMind databases directly for lookups. Instead it
1009# uses a URL-based lookup from a third-party provider at https://freegeoip.net
1010# and so avoids having to download and process the large databases. Please
1011# visit the https://freegeoip.net and read their limitations and respect that
1012# this option will either cease to function or be removed by us if that site is
1013# abused or overloaded. ONLY use this option if you have difficulties using the
1014# MaxMind databases. This option is ONLY for IP lookups, NOT when using the
1015# CC_* options above, which will continue to use the MaxMind databases
1016#
1017CC_LOOKUPS = "1"
1018
1019# Display Country Code and Country for reported IPv6 addresses using the
1020# MaxMind Country IPv6 Database
1021#
1022# "0" - disable
1023# "1" - enable and report the detail level as specified in CC_LOOKUPS
1024#
1025# This option must also be enabled to allow IPv6 support to CC_*, MESSENGER and
1026# PORTFLOOD
1027CC6_LOOKUPS = "0"
1028
1029# This option tells lfd how often to retrieve the MaxMind GeoLite2 Country
1030# database for CC_ALLOW, CC_ALLOW_FILTER, CC_DENY, CC_IGNORE and CC_LOOKUPS (in
1031# days)
1032CC_INTERVAL = "7"
1033
1034###############################################################################
1035# SECTION:Login Failure Blocking and Alerts
1036###############################################################################
1037# The following[*] triggers are application specific. If you set LF_TRIGGER to
1038# "0" the value of each trigger is the number of failures against that
1039# application that will trigger lfd to block the IP address
1040#
1041# If you set LF_TRIGGER to a value greater than "0" then the following[*]
1042# application triggers are simply on or off ("0" or "1") and the value of
1043# LF_TRIGGER is the total cumulative number of failures that will trigger lfd
1044# to block the IP address
1045#
1046# Setting the application trigger to "0" disables it
1047LF_TRIGGER = "0"
1048
1049# If LF_TRIGGER is > "0" then LF_TRIGGER_PERM can be set to "1" to permanently
1050# block the IP address, or LF_TRIGGER_PERM can be set to a value greater than
1051# "1" and the IP address will be blocked temporarily for that value in seconds.
1052# For example:
1053# LF_TRIGGER_PERM = "1" => the IP is blocked permanently
1054# LF_TRIGGER_PERM = "3600" => the IP is blocked temporarily for 1 hour
1055#
1056# If LF_TRIGGER is "0", then the application LF_[application]_PERM value works
1057# in the same way as above and LF_TRIGGER_PERM serves no function
1058LF_TRIGGER_PERM = "1"
1059
1060# To only block access to the failed application instead of a complete block
1061# for an ip address, you can set the following to "1", but LF_TRIGGER must be
1062# set to "0" with specific application[*] trigger levels also set appropriately
1063#
1064# The ports that are blocked can be configured by changing the PORTS_* options
1065LF_SELECT = "0"
1066
1067# Send an email alert if an IP address is blocked by one of the [*] triggers
1068LF_EMAIL_ALERT = "1"
1069
1070# [*]Enable login failure detection of sshd connections
1071#
1072# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1073# this file about RESTRICT_SYSLOG before enabling this option:
1074LF_SSHD = "5"
1075LF_SSHD_PERM = "1"
1076
1077# [*]Enable login failure detection of ftp connections
1078#
1079# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1080# this file about RESTRICT_SYSLOG before enabling this option:
1081LF_FTPD = "10"
1082LF_FTPD_PERM = "1"
1083
1084# [*]Enable login failure detection of SMTP AUTH connections
1085LF_SMTPAUTH = "5"
1086LF_SMTPAUTH_PERM = "1"
1087
1088# [*]Enable syntax failure detection of Exim connections
1089LF_EXIMSYNTAX = "10"
1090LF_EXIMSYNTAX_PERM = "1"
1091
1092# [*]Enable login failure detection of pop3 connections
1093#
1094# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1095# this file about RESTRICT_SYSLOG before enabling this option:
1096LF_POP3D = "10"
1097LF_POP3D_PERM = "1"
1098
1099# [*]Enable login failure detection of imap connections
1100#
1101# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1102# this file about RESTRICT_SYSLOG before enabling this option:
1103LF_IMAPD = "3"
1104LF_IMAPD_PERM = "1"
1105
1106# [*]Enable login failure detection of Apache .htpasswd connections
1107# Due to the often high logging rate in the Apache error log, you might want to
1108# enable this option only if you know you are suffering from attacks against
1109# password protected directories
1110LF_HTACCESS = "5"
1111LF_HTACCESS_PERM = "1"
1112
1113# [*]Enable failure detection of repeated Apache mod_security rule triggers
1114LF_MODSEC = "5"
1115LF_MODSEC_PERM = "1"
1116
1117# [*]Enable detection of repeated BIND denied requests
1118# This option should be enabled with care as it will prevent blocked IPs from
1119# resolving any domains on the server. You might want to set the trigger value
1120# reasonably high to avoid this
1121# Example: LF_BIND = "100"
1122LF_BIND = "0"
1123LF_BIND_PERM = "1"
1124
1125# [*]Enable detection of repeated suhosin ALERTs
1126# Example: LF_SUHOSIN = "5"
1127#
1128# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1129# this file about RESTRICT_SYSLOG before enabling this option:
1130LF_SUHOSIN = "0"
1131LF_SUHOSIN_PERM = "1"
1132
1133# [*]Enable detection of repeated cxs ModSecurity mod_security rule triggers
1134# This option will block IP addresses if cxs detects a hits from the
1135# ModSecurity rule associated with it
1136#
1137# Note: This option takes precedence over LF_MODSEC and removes any hits
1138# counted towards LF_MODSEC for the cxs rule
1139#
1140# This setting should probably set very low, perhaps to 1, if you want to
1141# effectively block IP addresses for this trigger option
1142LF_CXS = "0"
1143LF_CXS_PERM = "1"
1144
1145# [*]Enable detection of repeated Apache mod_qos rule triggers
1146LF_QOS = "0"
1147LF_QOS_PERM = "1"
1148
1149# [*]Enable detection of repeated Apache symlink race condition triggers from
1150# the Apache patch provided by:
1151# http://www.mail-archive.com/dev@httpd.apache.org/msg55666.html
1152# This patch has also been included by cPanel via the easyapache option:
1153# "Symlink Race Condition Protection"
1154LF_SYMLINK = "0"
1155LF_SYMLINK_PERM = "1"
1156
1157# [*]Enable login failure detection of webmin connections
1158#
1159# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1160# this file about RESTRICT_SYSLOG before enabling this option:
1161LF_WEBMIN = "0"
1162LF_WEBMIN_PERM = "1"
1163
1164# Send an email alert if anyone logs in successfully using SSH
1165#
1166# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1167# this file about RESTRICT_SYSLOG before enabling this option:
1168LF_SSH_EMAIL_ALERT = "1"
1169
1170# Send an email alert if anyone uses su to access another account. This will
1171# send an email alert whether the attempt to use su was successful or not
1172#
1173# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1174# this file about RESTRICT_SYSLOG before enabling this option:
1175LF_SU_EMAIL_ALERT = "1"
1176
1177# Send an email alert if anyone accesses webmin
1178#
1179# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1180# this file about RESTRICT_SYSLOG before enabling this option:
1181LF_WEBMIN_EMAIL_ALERT = "0"
1182
1183# Send an email alert if anyone logs in successfully to root on the console
1184#
1185# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1186# this file about RESTRICT_SYSLOG before enabling this option:
1187LF_CONSOLE_EMAIL_ALERT = "1"
1188
1189# This option will keep track of the number of "File does not exist" errors in
1190# HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in LF_INTERVAL
1191# seconds then the IP address will be blocked
1192#
1193# Care should be used with this option as it could generate many
1194# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
1195# so only use this option if you know you are under this type of attack
1196#
1197# A sensible setting for this would be quite high, perhaps 200
1198#
1199# To disable set to "0"
1200LF_APACHE_404 = "0"
1201
1202# If this option is set to 1 the blocks will be permanent
1203# If this option is > 1, the blocks will be temporary for the specified number
1204# of seconds
1205LF_APACHE_404_PERM = "3600"
1206
1207# This option will keep track of the number of "client denied by server
1208# configuration" errors in HTACCESS_LOG. If the number of hits is more than
1209# LF_APACHE_403 in LF_INTERVAL seconds then the IP address will be blocked
1210#
1211# Care should be used with this option as it could generate many
1212# false-positives, especially Search Bots (use csf.rignore to ignore such bots)
1213# so only use this option if you know you are under this type of attack
1214#
1215# A sensible setting for this would be quite high, perhaps 200
1216#
1217# To disable set to "0"
1218LF_APACHE_403 = "0"
1219
1220# If this option is set to 1 the blocks will be permanent
1221# If this option is > 1, the blocks will be temporary for the specified number
1222# of seconds
1223LF_APACHE_403_PERM = "3600"
1224
1225# This option will keep track of the number of 401 failures in HTACCESS_LOG.
1226# If the number of hits is more than LF_APACHE_401 in LF_INTERVAL seconds then
1227# the IP address will be blocked
1228#
1229# To disable set to "0"
1230LF_APACHE_401 = "0"
1231
1232# This option is used to determine if the Apache error_log format contains the
1233# client port after the client IP. In Apache prior to v2.4, this was not the
1234# case. In Apache v2.4+ the error_log format can be configured using
1235# ErrorLogFormat, making the port directive optional
1236#
1237# Unfortunately v2.4 ErrorLogFormat places the port number after a colon next
1238# to the client IP by default. This makes determining client IPv6 addresses
1239# difficult unless we know whether the port is being appended or not
1240#
1241# lfd will attempt to autodetect the correct value if this option is set to "0"
1242# from the httpd binary found in common locations. If it fails to find a binary
1243# it will be set to "2", unless specified here
1244#
1245# The value can be set here explicitly if the autodetection does not work:
1246# 0 - autodetect
1247# 1 - no port directive after client IP
1248# 2 - port directive after client IP
1249LF_APACHE_ERRPORT = "0"
1250
1251# If this option is set to 1 the blocks will be permanent
1252# If this option is > 1, the blocks will be temporary for the specified number
1253# of seconds
1254LF_APACHE_401_PERM = "3600"
1255
1256# This option will send an alert if the ModSecurity IP persistent storage grows
1257# excessively large: https://goo.gl/rGh5sF
1258#
1259# More information on cPanel servers here: https://goo.gl/vo6xTE
1260#
1261# LF_MODSECIPDB_FILE must be set to the correct location of the database file
1262#
1263# The check is performed at lfd startup and then once per hour, the template
1264# used is modsecipdbalert.txt
1265#
1266# Set to "0" to disable this option, otherwise it is the threshold size of the
1267# file to report in gigabytes, e.g. set to 5 for 5GB
1268LF_MODSECIPDB_ALERT = "0"
1269
1270# This is the location of the persistent IP storage file on the server, e.g.:
1271# /var/run/modsecurity/data/ip.pag
1272# /var/cpanel/secdatadir/ip.pag
1273# /var/cache/modsecurity/ip.pag
1274# /usr/local/apache/conf/modsec/data/msa/ip.pag
1275# /var/tmp/ip.pag
1276# /tmp/ip.pag
1277LF_MODSECIPDB_FILE = "/var/run/modsecurity/data/ip.pag"
1278
1279# System Exploit Checking. This option is designed to perform a series of tests
1280# to send an alert in case a possible server compromise is detected
1281#
1282# To enable this feature set the following to the checking interval in seconds
1283# (a value of 300 would seem sensible).
1284#
1285# To disable set to "0"
1286LF_EXPLOIT = "300"
1287
1288# This comma separated list allows you to ignore tests LF_EXPLOIT performs
1289#
1290# For the SUPERUSER check, you can list usernames in csf.suignore to have them
1291# ignored for that test
1292#
1293# Valid tests are:
1294# SUPERUSER,SSHDSPAM
1295#
1296# If you want to ignore a test add it to this as a comma separated list, e.g.
1297# "SUPERUSER,SSHDSPAM"
1298LF_EXPLOIT_IGNORE = ""
1299
1300# Set the time interval to track login and other LF_ failures within (seconds),
1301# i.e. LF_TRIGGER failures within the last LF_INTERVAL seconds
1302LF_INTERVAL = "3600"
1303
1304# This is how long the lfd process sleeps (in seconds) before processing the
1305# log file entries and checking whether other events need to be triggered
1306LF_PARSE = "5"
1307
1308# This is the interval that is used to flush reports of usernames, files and
1309# pids so that persistent problems continue to be reported, in seconds.
1310# A value of 3600 seems sensible
1311LF_FLUSH = "3600"
1312
1313# Under some circumstances iptables can fail to include a rule instruction,
1314# especially if more than one request is made concurrently. In this event, a
1315# permanent block entry may exist in csf.deny, but not in iptables.
1316#
1317# This option instructs csf to deny an already blocked IP address the number
1318# of times set. The downside, is that there will be multiple entries for an IP
1319# address in csf.deny and possibly multiple rules for the same IP address in
1320# iptables. This needs to be taken into consideration when unblocking such IP
1321# addresses.
1322#
1323# Set to "0" to disable this feature. Do not set this too high for the reasons
1324# detailed above (e.g. "5" should be more than enough)
1325LF_REPEATBLOCK = "0"
1326
1327# By default csf will create both an inbound and outbound blocks from/to an IP
1328# unless otherwise specified in csf.deny and GLOBAL_DENY. This is the most
1329# effective way to block IP traffic. This option instructs csf to only block
1330# inbound traffic from those IP's and so reduces the number of iptables rules,
1331# but at the expense of less effectiveness. For this reason we recommend
1332# leaving this option disabled
1333# 
1334# Set to "0" to disable this feature - the default
1335LF_BLOCKINONLY = "0"
1336
1337###############################################################################
1338# SECTION:CloudFlare
1339###############################################################################
1340# This features provides interaction with the CloudFlare Firewall
1341#
1342# As CloudFlare is a reverse proxy, any attacking IP addresses (so far as 
1343# iptables is concerned) come from the CloudFlare IP's. To counter this, an
1344# Apache module (mod_cloudflare) is available that obtains the true attackers
1345# IP from a custom HTTP header record (similar functionality is available
1346# for other HTTP daemons
1347#
1348# However, despite now knowing the true attacking IP address, iptables cannot
1349# be used to block that IP as the traffic is still coming from the CloudFlare
1350# servers
1351#
1352# CloudFlare have provided a Firewall feature within the user account where
1353# rules can be added to block, challenge or whitelist IP addresses
1354#
1355# Using the CloudFlare API, this feature adds and removes attacking IPs from
1356# that firewall and provides CLI (and via the UI) additional commands
1357#
1358# See /etc/csf/readme.txt for more information about this feature and the
1359# restrictions for its use BEFORE enabling this feature
1360CF_ENABLE = "0"
1361
1362# This can be set to either "block" or "challenge" (see CloudFlare docs)
1363CF_BLOCK = "block"
1364
1365# This setting determines how long the temporary block will apply within csf
1366# and CloudFlare, keeping them in sync
1367#
1368# Block duration in seconds - overrides perm block or time of individual blocks
1369# in lfd for block triggers
1370CF_TEMP = "3600"
1371
1372###############################################################################
1373# SECTION:Directory Watching & Integrity 
1374###############################################################################
1375# Enable Directory Watching. This enables lfd to check /tmp and /dev/shm
1376# directories for suspicious files, i.e. script exploits. If a suspicious
1377# file is found an email alert is sent. One alert per file per LF_FLUSH
1378# interval is sent
1379#
1380# To enable this feature set the following to the checking interval in seconds.
1381# To disable set to "0"
1382LF_DIRWATCH = "300"
1383
1384# To remove any suspicious files found during directory watching, enable the
1385# following. These files will be appended to a tarball in
1386# /var/lib/csf/suspicious.tar
1387LF_DIRWATCH_DISABLE = "0"
1388
1389# This option allows you to have lfd watch a particular file or directory for
1390# changes and should they change and email alert using watchalert.txt is sent
1391#
1392# To enable this feature set the following to the checking interval in seconds
1393# (a value of 60 would seem sensible) and add your entries to csf.dirwatch
1394#
1395# Set to disable set to "0"
1396LF_DIRWATCH_FILE = "0"
1397
1398# System Integrity Checking. This enables lfd to compare md5sums of the
1399# servers OS binary application files from the time when lfd starts. If the
1400# md5sum of a monitored file changes an alert is sent. This option is intended
1401# as an IDS (Intrusion Detection System) and is the last line of detection for
1402# a possible root compromise.
1403#
1404# There will be constant false-positives as the servers OS is updated or
1405# monitored application binaries are updated. However, unexpected changes
1406# should be carefully inspected.
1407#
1408# Modified files will only be reported via email once.
1409#
1410# To enable this feature set the following to the checking interval in seconds
1411# (a value of 3600 would seem sensible). This option may increase server I/O
1412# load onto the server as it checks system binaries.
1413#
1414# To disable set to "0"
1415LF_INTEGRITY = "3600"
1416
1417###############################################################################
1418# SECTION:Distributed Attacks
1419###############################################################################
1420# Distributed Account Attack. This option will keep track of login failures
1421# from distributed IP addresses to a specific application account. If the
1422# number of failures matches the trigger value above, ALL of the IP addresses
1423# involved in the attack will be blocked according to the temp/perm rules above
1424#
1425# Tracking applies to LF_SSHD, LF_FTPD, LF_SMTPAUTH, LF_POP3D, LF_IMAPD, 
1426# LF_HTACCESS
1427#
1428# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1429# this file about RESTRICT_SYSLOG before enabling this option:
1430LF_DISTATTACK = "0"
1431
1432# Set the following to the minimum number of unique IP addresses that trigger
1433# LF_DISTATTACK
1434LF_DISTATTACK_UNIQ = "2"
1435
1436# Distributed FTP Logins. This option will keep track of successful FTP logins.
1437# If the number of successful logins to an individual account is at least
1438# LF_DISTFTP in LF_DIST_INTERVAL from at least LF_DISTFTP_UNIQ IP addresses,
1439# then all of the IP addresses will be blocked
1440#
1441# This option can help mitigate the common FTP account compromise attacks that
1442# use a distributed network of zombies to deface websites
1443#
1444# A sensible setting for this might be 5, depending on how many different
1445# IP addresses you expect to an individual FTP account within LF_DIST_INTERVAL
1446#
1447# To disable set to "0"
1448#
1449# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1450# this file about RESTRICT_SYSLOG before enabling this option:
1451LF_DISTFTP = "0"
1452
1453# Set the following to the minimum number of unique IP addresses that trigger
1454# LF_DISTFTP. LF_DISTFTP_UNIQ must be <= LF_DISTFTP for this to work
1455LF_DISTFTP_UNIQ = "3"
1456
1457# If this option is set to 1 the blocks will be permanent
1458# If this option is > 1, the blocks will be temporary for the specified number
1459# of seconds
1460LF_DISTFTP_PERM = "1"
1461
1462# Send an email alert if LF_DISTFTP is triggered
1463LF_DISTFTP_ALERT = "1"
1464
1465# Distributed SMTP Logins. This option will keep track of successful SMTP
1466# logins. If the number of successful logins to an individual account is at
1467# least LF_DISTSMTP in LF_DIST_INTERVAL from at least LF_DISTSMTP_UNIQ IP
1468# addresses, then all of the IP addresses will be blocked. These options only
1469# apply to the exim MTA
1470#
1471# This option can help mitigate the common SMTP account compromise attacks that
1472# use a distributed network of zombies to send spam
1473#
1474# A sensible setting for this might be 5, depending on how many different
1475# IP addresses you expect to an individual SMTP account within LF_DIST_INTERVAL
1476#
1477# To disable set to "0"
1478LF_DISTSMTP = "5"
1479
1480# Set the following to the minimum number of unique IP addresses that trigger
1481# LF_DISTSMTP. LF_DISTSMTP_UNIQ must be <= LF_DISTSMTP for this to work
1482LF_DISTSMTP_UNIQ = "3"
1483
1484# If this option is set to 1 the blocks will be permanent
1485# If this option is > 1, the blocks will be temporary for the specified number
1486# of seconds
1487LF_DISTSMTP_PERM = "1"
1488
1489# Send an email alert if LF_DISTSMTP is triggered
1490LF_DISTSMTP_ALERT = "1"
1491
1492# This is the interval during which a distributed FTP or SMTP attack is
1493# measured
1494LF_DIST_INTERVAL = "300"
1495
1496# If LF_DISTFTP or LF_DISTSMTP is triggered, then if the following contains the
1497# path to a script, it will run the script and pass the following as arguments:
1498#
1499# LF_DISTFTP/LF_DISTSMTP
1500# account name
1501# log file text
1502#
1503# The action script must have the execute bit and interpreter (shebang) set
1504LF_DIST_ACTION = ""
1505
1506###############################################################################
1507# SECTION:Login Tracking
1508###############################################################################
1509# Block POP3 logins if greater than LT_POP3D times per hour per account per IP
1510# address (0=disabled)
1511#
1512# This is a temporary block for the rest of the hour, afterwhich the IP is
1513# unblocked
1514#
1515# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1516# this file about RESTRICT_SYSLOG before enabling this option:
1517LT_POP3D = "0"
1518
1519# Block IMAP logins if greater than LT_IMAPD times per hour per account per IP
1520# address (0=disabled) - not recommended for IMAP logins due to the ethos
1521# within which IMAP works. If you want to use this, setting it quite high is
1522# probably a good idea
1523#
1524# This is a temporary block for the rest of the hour, afterwhich the IP is
1525# unblocked
1526#
1527# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1528# this file about RESTRICT_SYSLOG before enabling this option:
1529LT_IMAPD = "0"
1530
1531# Send an email alert if an account exceeds LT_POP3D/LT_IMAPD logins per hour
1532# per IP
1533LT_EMAIL_ALERT = "1"
1534
1535# If LF_PERMBLOCK is enabled but you do not want this to apply to
1536# LT_POP3D/LT_IMAPD, then enable this option
1537LT_SKIPPERMBLOCK = "0"
1538
1539###############################################################################
1540# SECTION:Connection Tracking
1541###############################################################################
1542# Connection Tracking. This option enables tracking of all connections from IP
1543# addresses to the server. If the total number of connections is greater than
1544# this value then the offending IP address is blocked. This can be used to help
1545# prevent some types of DOS attack.
1546#
1547# Care should be taken with this option. It's entirely possible that you will
1548# see false-positives. Some protocols can be connection hungry, e.g. FTP, IMAPD
1549# and HTTP so it could be quite easy to trigger, especially with a lot of
1550# closed connections in TIME_WAIT. However, for a server that is prone to DOS
1551# attacks this may be very useful. A reasonable setting for this option might
1552# be around 300.
1553#
1554# To disable this feature, set this to 0
1555CT_LIMIT = "0"
1556
1557# Connection Tracking interval. Set this to the the number of seconds between
1558# connection tracking scans
1559CT_INTERVAL = "30"
1560
1561# Send an email alert if an IP address is blocked due to connection tracking
1562CT_EMAIL_ALERT = "1"
1563
1564# If you want to make IP blocks permanent then set this to 1, otherwise blocks
1565# will be temporary and will be cleared after CT_BLOCK_TIME seconds
1566CT_PERMANENT = "0"
1567
1568# If you opt for temporary IP blocks for CT, then the following is the interval
1569# in seconds that the IP will remained blocked for (e.g. 1800 = 30 mins)
1570CT_BLOCK_TIME = "1800"
1571
1572# If you don't want to count the TIME_WAIT state against the connection count
1573# then set the following to "1"
1574CT_SKIP_TIME_WAIT = "0"
1575
1576# If you only want to count specific states (e.g. SYN_RECV) then add the states
1577# to the following as a comma separated list. E.g. "SYN_RECV,TIME_WAIT"
1578#
1579# Leave this option empty to count all states against CT_LIMIT
1580CT_STATES = ""
1581
1582# If you only want to count specific ports (e.g. 80,443) then add the ports
1583# to the following as a comma separated list. E.g. "80,443"
1584#
1585# Leave this option empty to count all ports against CT_LIMIT
1586CT_PORTS = ""
1587
1588# If the total number of connections from a class C subnet is greater than this
1589# value then the offending subnet is blocked according to the other CT_*
1590# settings
1591#
1592# This option can be used to help prevent some types of DOS attack where a
1593# range of IP's between x.y.z.1-255 has connected to the server
1594#
1595# If you use a reverse proxy service such as Cloudflare you should not enable
1596# this option, or should exclude the ports that you have proxied in CT_PORTS
1597#
1598# To disable this feature, set this to 0
1599CT_SUBNET_LIMIT = "0"
1600
1601###############################################################################
1602# SECTION:Process Tracking
1603###############################################################################
1604# Process Tracking. This option enables tracking of user and nobody processes
1605# and examines them for suspicious executables or open network ports. Its
1606# purpose is to identify potential exploit processes that are running on the
1607# server, even if they are obfuscated to appear as system services. If a
1608# suspicious process is found an alert email is sent with relevant information.
1609# It is then the responsibility of the recipient to investigate the process
1610# further as the script takes no further action
1611#
1612# The following is the number of seconds a process has to be active before it
1613# is inspected. If you set this time too low, then you will likely trigger
1614# false-positives with CGI or PHP scripts.
1615# Set the value to 0 to disable this feature
1616PT_LIMIT = "60"
1617
1618# How frequently processes are checked in seconds
1619PT_INTERVAL = "60"
1620
1621# If you want process tracking to highlight php or perl scripts that are run
1622# through apache then disable the following,
1623# i.e. set it to 0
1624#
1625# While enabling this setting will reduce false-positives, having it set to 0
1626# does provide better checking for exploits running on the server
1627PT_SKIP_HTTP = "0"
1628
1629# lfd will report processes, even if they're listed in csf.pignore, if they're
1630# tagged as (deleted) by Linux. This information is provided in Linux under
1631# /proc/PID/exe. A (deleted) process is one that is running a binary that has
1632# the inode for the file removed from the file system directory. This usually
1633# happens when the binary has been replaced due to an upgrade for it by the OS
1634# vendor or another third party (e.g. cPanel). You need to investigate whether
1635# this is indeed the case to be sure that the original binary has not been
1636# replaced by a rootkit or is running an exploit.
1637#
1638# Note: If a deleted executable process is detected and reported then lfd will
1639# not report children of the parent (or the parent itself if a child triggered
1640# the report) if the parent is also a deleted executable process
1641#
1642# To stop lfd reporting such process you need to restart the daemon to which it
1643# belongs and therefore run the process using the replacement binary (presuming
1644# one exists). This will normally mean running the associated startup script in
1645# /etc/init.d/
1646#
1647# If you do want lfd to report deleted binary processes, set to 1
1648PT_DELETED = "0"
1649
1650# If a PT_DELETED event is triggered, then if the following contains the path to
1651# a script, it will be run in a child process and passed the executable, pid,
1652# account for the process, and parent pid
1653#
1654# The action script must have the execute bit and interpreter (shebang) set. An
1655# example is provided in /usr/local/csf/bin/pt_deleted_action.pl
1656#
1657# WARNING: Make sure you read and understand the potential security
1658# implications of such processes in PT_DELETED above before simply restarting
1659# such processes with a script
1660PT_DELETED_ACTION = ""
1661
1662# User Process Tracking. This option enables the tracking of the number of
1663# process any given account is running at one time. If the number of processes
1664# exceeds the value of the following setting an email alert is sent with
1665# details of those processes. If you specify a user in csf.pignore it will be
1666# ignored
1667#
1668# Set to 0 to disable this feature
1669PT_USERPROC = "10"
1670
1671# This User Process Tracking option sends an alert if any user process exceeds
1672# the virtual memory usage set (MB). To ignore specific processes or users use
1673# csf.pignore
1674#
1675# Set to 0 to disable this feature
1676PT_USERMEM = "200"
1677
1678# This User Process Tracking option sends an alert if any user process exceeds
1679# the RSS memory usage set (MB) - RAM used, not virtual. To ignore specific
1680# processes or users use csf.pignore
1681#
1682# Set to 0 to disable this feature
1683PT_USERRSS = "256"
1684
1685# This User Process Tracking option sends an alert if any linux user process
1686# exceeds the time usage set (seconds). To ignore specific processes or users
1687# use csf.pignore
1688#
1689# Set to 0 to disable this feature
1690PT_USERTIME = "1800"
1691
1692# If this option is set then processes detected by PT_USERMEM, PT_USERTIME or
1693# PT_USERPROC are killed
1694#
1695# Warning: We don't recommend enabling this option unless absolutely necessary
1696# as it can cause unexpected problems when processes are suddenly terminated.
1697# It can also lead to system processes being terminated which could cause
1698# stability issues. It is much better to leave this option disabled and to
1699# investigate each case as it is reported when the triggers above are breached
1700#
1701# Note: Processes that are running deleted excecutables (see PT_DELETED) will
1702# not be killed by lfd
1703PT_USERKILL = "0"
1704
1705# If you want to disable email alerts if PT_USERKILL is triggered, then set
1706# this option to 0
1707PT_USERKILL_ALERT = "1"
1708
1709# If a PT_* event is triggered, then if the following contains the path to
1710# a script, it will be run in a child process and passed the PID(s) of the
1711# process(es) in a comma separated list.
1712#
1713# The action script must have the execute bit and interpreter (shebang) set
1714PT_USER_ACTION = ""
1715
1716# Check the PT_LOAD_AVG minute Load Average (can be set to 1 5 or 15 and
1717# defaults to 5 if set otherwise) on the server every PT_LOAD seconds. If the
1718# load average is greater than or equal to PT_LOAD_LEVEL then an email alert is
1719# sent. lfd then does not report subsequent high load until PT_LOAD_SKIP
1720# seconds has passed to prevent email floods.
1721#
1722# Set PT_LOAD to "0" to disable this feature
1723PT_LOAD = "30"
1724PT_LOAD_AVG = "5"
1725PT_LOAD_LEVEL = "6"
1726PT_LOAD_SKIP = "3600"
1727
1728# This is the Apache Server Status URL used in the email alert. Requires the
1729# Apache mod_status module to be installed and configured correctly
1730PT_APACHESTATUS = "http://127.0.0.1/server-status"
1731
1732# If a PT_LOAD event is triggered, then if the following contains the path to
1733# a script, it will be run in a child process. For example, the script could
1734# contain commands to terminate and restart httpd, php, exim, etc incase of
1735# looping processes. The action script must have the execute bit an 
1736# interpreter (shebang) set
1737PT_LOAD_ACTION = ""
1738
1739# Fork Bomb Protection. This option checks the number of processes with the
1740# same session id and if greater than the value set, the whole session tree is
1741# terminated and an alert sent
1742#
1743# You can see an example of common session id processes on most Linux systems
1744# using: "ps axf -O sid"
1745#
1746# On cPanel servers, PT_ALL_USERS should be enabled to use this option
1747# effectively
1748#
1749# This option will check root owned processes. Session id 0 and 1 will always
1750# be ignored as they represent kernel and init processes. csf.pignore will be
1751# honoured, but bear in mind that a session tree can contain a variety of users
1752# and executables
1753#
1754# Care needs to be taken to ensure that this option only detects runaway fork
1755# bombs, so should be set higher than any session tree is likely to get (e.g.
1756# httpd could have 100s of legitimate children on very busy systems). A
1757# sensible starting point on most servers might be 250
1758PT_FORKBOMB = "0"
1759
1760# Terminate hung SSHD sessions. When under an SSHD login attack, SSHD processes
1761# are often left hanging after their connecting IP addresses have been blocked
1762#
1763# This option will terminate the SSH processes created by the blocked IP. This
1764# option is preferred over PT_SSHDHUNG
1765PT_SSHDKILL = "0"
1766
1767# This option will terminate all processes with the cmdline of "sshd: unknown
1768# [net]" or "sshd: unknown [priv]" if they have been running for more than 60
1769# seconds
1770PT_SSHDHUNG = "0"
1771
1772###############################################################################
1773# SECTION:Port Scan Tracking
1774###############################################################################
1775# Port Scan Tracking. This feature tracks port blocks logged by iptables to
1776# syslog. If an IP address generates a port block that is logged more than
1777# PS_LIMIT within PS_INTERVAL seconds, the IP address will be blocked.
1778#
1779# This feature could, for example, be useful for blocking hackers attempting
1780# to access the standard SSH port if you have moved it to a port other than 22
1781# and have removed 22 from the TCP_IN list so that connection attempts to the
1782# old port are being logged
1783#
1784# This feature blocks all iptables blocks from the iptables logs, including
1785# repeated attempts to one port or SYN flood blocks, etc
1786#
1787# Note: This feature will only track iptables blocks from the log file set in
1788# IPTABLES_LOG below and if you have DROP_LOGGING enabled. However, it will
1789# cause redundant blocking with DROP_IP_LOGGING enabled
1790#
1791# Warning: It's possible that an elaborate DDOS (i.e. from multiple IP's)
1792# could very quickly fill the iptables rule chains and cause a DOS in itself.
1793# The DENY_IP_LIMIT should help to mitigate such problems with permanent blocks
1794# and the DENY_TEMP_IP_LIMIT with temporary blocks
1795#
1796# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1797# would be sensible to enable this feature
1798#
1799# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1800# this file about RESTRICT_SYSLOG before enabling this option:
1801PS_INTERVAL = "300"
1802PS_LIMIT = "10"
1803
1804# You can specify the ports and/or port ranges that should be tracked by the
1805# Port Scan Tracking feature. The following setting is a comma separated list
1806# of those ports and uses the same format as TCP_IN. The setting of
1807# 0:65535,ICMP,INVALID,OPEN,BRD covers all ports
1808#
1809# Special values are:
1810#   ICMP    - include ICMP blocks (see ICMP_*)
1811#   INVALID - include INVALID blocks (see PACKET_FILTER)
1812#   OPEN    - include TCP_IN and UDP_IN open port blocks - *[proto]_IN Blocked*
1813#   BRD     - include UDP Broadcast IPs, otherwise they are ignored
1814PS_PORTS = "0:65535,ICMP"
1815
1816# To specify how many different ports qualifies as a Port Scan you can increase
1817# the following from the default value of 1. The risk in doing so will mean
1818# that persistent attempts to attack a specific closed port will not be
1819# detected and blocked
1820PS_DIVERSITY = "1"
1821
1822# You can select whether IP blocks for Port Scan Tracking should be temporary
1823# or permanent. Set PS_PERMANENT to "0" for temporary and "1" for permanent
1824# blocking. If set to "0" PS_BLOCK_TIME is the amount of time in seconds to
1825# temporarily block the IP address for
1826PS_PERMANENT = "0"
1827PS_BLOCK_TIME = "3600"
1828
1829# Set the following to "1" to enable Port Scan Tracking email alerts, set to
1830# "0" to disable them
1831PS_EMAIL_ALERT = "1"
1832
1833###############################################################################
1834# SECTION:User ID Tracking
1835###############################################################################
1836# User ID Tracking. This feature tracks UID blocks logged by iptables to
1837# syslog. If a UID generates a port block that is logged more than UID_LIMIT
1838# times within UID_INTERVAL seconds, an alert will be sent
1839#
1840# Note: This feature will only track iptables blocks from the log file set in
1841# IPTABLES_LOG and if DROP_OUT_LOGGING and DROP_UID_LOGGING are enabled.
1842#
1843# To ignore specific UIDs list them in csf.uidignore and then restart lfd
1844#
1845# Set UID_INTERVAL to "0" to disable this feature. A value of between 60 and 300
1846# would be sensible to enable this feature
1847#
1848# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
1849# this file about RESTRICT_SYSLOG before enabling this option:
1850UID_INTERVAL = "0"
1851UID_LIMIT = "10"
1852
1853# You can specify the ports and/or port ranges that should be tracked by the
1854# User ID Tracking feature. The following setting is a comma separated list
1855# of those ports and uses the same format as TCP_OUT. The default setting of
1856# 0:65535,ICMP covers all ports
1857UID_PORTS = "0:65535,ICMP"
1858
1859###############################################################################
1860# SECTION:Account Tracking
1861###############################################################################
1862# Account Tracking. The following options enable the tracking of modifications
1863# to the accounts on a server. If any of the enabled options are triggered by
1864# a modifications to an account, an alert email is sent. Only the modification
1865# is reported. The cause of the modification will have to be investigated
1866# manually
1867#
1868# You can set AT_ALERT to the following:
1869# 0 = disable this feature
1870# 1 = enable this feature for all accounts
1871# 2 = enable this feature only for superuser accounts (UID = 0, e.g. root, etc)
1872# 3 = enable this feature only for the root account
1873AT_ALERT = "2"
1874
1875# This options is the interval between checks in seconds
1876AT_INTERVAL = "60"
1877
1878# Send alert if a new account is created
1879AT_NEW = "1"
1880
1881# Send alert if an existing account is deleted
1882AT_OLD = "1"
1883
1884# Send alert if an account password has changed
1885AT_PASSWD = "1"
1886
1887# Send alert if an account uid has changed
1888AT_UID = "1"
1889
1890# Send alert if an account gid has changed
1891AT_GID = "1"
1892
1893# Send alert if an account login directory has changed
1894AT_DIR = "1"
1895
1896# Send alert if an account login shell has changed
1897AT_SHELL = "1"
1898
1899###############################################################################
1900# SECTION:Integrated User Interface
1901###############################################################################
1902# Integrated User Interface. This feature provides a HTML UI to csf and lfd,
1903# without requiring a control panel or web server. The UI runs as a sub process
1904# to the lfd daemon
1905#
1906# As it runs under the root account and successful login provides root access
1907# to the server, great care should be taken when configuring and using this
1908# feature. There are additional restrictions to enhance secure access to the UI
1909#
1910# See readme.txt for more information about using this feature BEFORE enabling
1911# it for security and access reasons
1912# 
1913# 1 to enable, 0 to disable
1914UI = "0"
1915
1916# Set this to the port that want to bind this service to. You should configure
1917# this port to be >1023 and different from any other port already being used
1918#
1919# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
1920# to the port using Advanced Allow Filters (see readme.txt)
1921UI_PORT = "6666"
1922
1923# Optionally set the IP address to bind to. Normally this should be left blank
1924# to bind to all IP addresses on the server.
1925#
1926# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
1927# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
1928# ::ffff:1.2.3.4
1929#
1930# Leave blank to bind to all IP addresses on the server
1931UI_IP = ""
1932
1933# This should be a secure, hard to guess username
1934# 
1935# This must be changed from the default
1936UI_USER = "username"
1937
1938# This should be a secure, hard to guess password. That is, at least 8
1939# characters long with a mixture of upper and lowercase characters plus 
1940# numbers and non-alphanumeric characters
1941#
1942# This must be changed from the default
1943UI_PASS = "password"
1944
1945# This is the login session timeout. If there is no activity for a logged in
1946# session within this number of seconds, the session will timeout and a new
1947# login will be required
1948#
1949# For security reasons, you should always keep this option low (i.e 60-300)
1950UI_TIMEOUT = "300"
1951
1952# This is the maximum concurrent connections allowed to the server. The default
1953# value should be sufficient
1954UI_CHILDREN = "5"
1955
1956# The number of login retries allowed within a 24 hour period. A successful
1957# login from the IP address will clear the failures
1958#
1959# For security reasons, you should always keep this option low (i.e 0-10)
1960UI_RETRY = "5"
1961
1962# If enabled, this option will add the connecting IP address to the file 
1963# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
1964# able to login to the UI while it is listed in this file. The UI_BAN setting
1965# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
1966# csf.ignore, etc.
1967#
1968# For security reasons, you should always enable this option
1969UI_BAN = "1"
1970
1971# If enabled, only IPs (or CIDR's) listed in the file /etc/csf/ui/ui.allow will
1972# be allowed to login to the UI. The UI_ALLOW setting does not refer to any of
1973# the csf/lfd allow or ignore files, e.g. csf.allow, csf.ignore, etc.
1974#
1975# For security reasons, you should always enable this option and use ui.allow
1976UI_ALLOW = "1"
1977
1978# If enabled, this option will trigger an iptables block through csf after
1979# UI_RETRY login failures
1980#
1981# 0 = no block;1 = perm block;nn=temp block for nn secs
1982UI_BLOCK = "1"
1983
1984# This controls what email alerts are sent with regards to logins to the UI. It
1985# uses the uialert.txt template
1986#
1987# 4 = login success + login failure/ban/block + login attempts
1988# 3 = login success + login failure/ban/block
1989# 2 = login failure/ban/block
1990# 1 = login ban/block
1991# 0 = disabled
1992UI_ALERT = "4"
1993
1994# This is the SSL cipher list that the Integrated UI will negotiate from
1995UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"
1996
1997# This is the SSL protocol version used. See IO::Socket::SSL if you wish to
1998# change this and to understand the implications of changing it
1999UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"
2000
2001# If cxs is installed then enabling this option will provide a dropdown box to
2002# switch between applications
2003UI_CXS = "0"
2004
2005# There is a modified installation of ConfigServer Explorer (cse) provided with
2006# the csf distribution. If this option is enabled it will provide a dropdown
2007# box to switch between applications
2008UI_CSE = "0"
2009
2010###############################################################################
2011# SECTION:Messenger service
2012###############################################################################
2013# Messenger service. This feature allows the display of a message to a blocked
2014# connecting IP address to inform the user that they are blocked in the
2015# firewall. This can help when users get themselves blocked, e.g. due to
2016# multiple login failures. The service is provided by two daemons running on
2017# ports providing either an HTML or TEXT message.
2018#
2019# This feature does not work on servers that do not have the iptables module
2020# ipt_REDIRECT loaded. Typically, this will be with MONOLITHIC kernels. VPS
2021# server admins should check with their VPS host provider that the iptables
2022# module is included.
2023#
2024# For further information on features and limitations refer to the csf
2025# readme.txt
2026#
2027# Note: Run /etc/csf/csftest.pl to check whether this option will function on
2028# this server
2029#
2030# 1 to enable, 0 to disable
2031MESSENGER = "0"
2032
2033# Provide this service to temporary IP address blocks
2034MESSENGER_TEMP = "1"
2035
2036# Provide this service to permanent IP address blocks
2037MESSENGER_PERM = "1"
2038
2039# User account to run the service servers under. We recommend creating a
2040# specific non-priv, non-shell account for this purpose
2041MESSENGER_USER = "csf"
2042
2043# This is the maximum concurrent connections allowed to each service server
2044MESSENGER_CHILDREN = "10"
2045
2046# Set this to the port that will receive the HTTPS HTML message. You should
2047# configure this port to be >1023 and different from the TEXT and HTML port. Do
2048# NOT enable access to this port in TCP_IN. This option requires the perl
2049# module IO::Socket::SSL at a version level that supports SNI (1.83+).
2050# Additionally the version of openssl on the server must also support SNI
2051#
2052# The option uses existing SSL certificates on the server for each domain to
2053# maintain a secure connection without browser warnings. It uses SNI to choose
2054# the correct certificate to use for each client connection
2055#
2056# Warning: On some servers the amount of memory used by the HTTPS MESSENGER
2057# service can become significant depending on various factors associated with
2058# the use of IO::Socket::SSL including the number of domains and certificates
2059# served
2060MESSENGER_HTTPS = "8887"
2061
2062# This comma separated list are the HTTPS HTML ports that will be redirected
2063# for the blocked IP address. If you are using per application blocking
2064# (LF_TRIGGER) then only the relevant block port will be redirected to the
2065# messenger port
2066#
2067# Recommended setting "443" plus any end-user control panel SSL ports
2068MESSENGER_HTTPS_IN = ""
2069
2070# This option points to the file(s) containing the Apache VirtualHost SSL
2071# definitions. This can be a file glob if there are multiple files to search.
2072# Only Apache v2 SSL VirtualHost definitions are supported
2073MESSENGER_HTTPS_CONF = "/etc/httpd/conf.d/ssl.conf"
2074
2075# The following options can be specified to provide a default fallback
2076# certificate to be used if either SNI is not supported or a hosted domain does
2077# not have an SSL certificate. If a fallback is not provided, one of the certs
2078# obtained from MESSENGER_HTTPS_CONF will be used
2079MESSENGER_HTTPS_KEY = "/etc/pki/tls/private/localhost.key"
2080MESSENGER_HTTPS_CRT = "/etc/pki/tls/certs/localhost.crt"
2081
2082# Set this to the port that will receive the HTML message. You should configure
2083# this port to be >1023 and different from the TEXT port. Do NOT enable access
2084# to this port in TCP_IN
2085MESSENGER_HTML = "8888"
2086
2087# This comma separated list are the HTML ports that will be redirected for the
2088# blocked IP address. If you are using per application blocking (LF_TRIGGER)
2089# then only the relevant block port will be redirected to the messenger port
2090MESSENGER_HTML_IN = "80,2082,2095"
2091
2092# Set this to the port that will receive the TEXT message. You should configure
2093# this port to be >1023 and different from the HTML port. Do NOT enable access
2094# to this port in TCP_IN
2095MESSENGER_TEXT = "8889"
2096
2097# This comma separated list are the TEXT ports that will be redirected for the
2098# blocked IP address. If you are using per application blocking (LF_TRIGGER)
2099# then only the relevant block port will be redirected to the messenger port
2100MESSENGER_TEXT_IN = "21"
2101
2102# These settings limit the rate at which connections can be made to the
2103# messenger service servers. Its intention is to provide protection from
2104# attacks or excessive connections to the servers. If the rate is exceeded then
2105# iptables will revert for the duration to the normal blocking actiity
2106#
2107# See the iptables man page for the correct --limit rate syntax
2108MESSENGER_RATE = "30/m"
2109MESSENGER_BURST = "5"
2110
2111# The RECAPTCHA options provide a way for end-users that have blocked
2112# themselves in the firewall to unblock themselves.
2113#
2114# A valid Google ReCAPTCHA (v2) is required for this feature from:
2115# https://www.google.com/recaptcha/intro/index.html
2116#
2117# When configuring a new reCAPTCHA API key set, you must ensure that the option
2118# for "Domain Name Validation" is unticked so that the same reCAPTCHA can be
2119# used for all domains hosted on the server. lfd then checks that the hostname
2120# of the request resolves to an IP on this server.
2121#
2122# This feature requires the installation of the LWP::UserAgent perl module (see
2123# option URLGET for more details).
2124#
2125# The template used for this feature is /etc/csf/messenger/index.recaptcha.html
2126#
2127# Note: An unblock will fail if the end-users IP is located in a netblock,
2128# blocklist or CC_* deny entry
2129RECAPTCHA_SITEKEY = ""
2130RECAPTCHA_SECRET = ""
2131
2132# Send an email when an IP address successfully attempts to unblock themselves.
2133# This does not necessarily mean the IP was unblocked, only that the
2134# post-recaptcha unblock request was attempted
2135#
2136# Set to "0" to disable
2137RECAPTCHA_ALERT = "1"
2138
2139# If the server uses NAT then resolving the hostname to hosted IPs will likely
2140# not succeed. In that case, the external IP addresses must be listed as comma
2141# separated list here
2142RECAPTCHA_NAT = ""
2143
2144###############################################################################
2145# SECTION:lfd Clustering
2146###############################################################################
2147# lfd Clustering. This allows the configuration of an lfd cluster environment
2148# where a group of servers can share blocks and configuration option changes.
2149# Included are CLI and UI options to send requests to the cluster.
2150#
2151# See the readme.txt file for more information and details on setup and
2152# security risks.
2153#
2154# Set this to a comma separated list of cluster member IP addresses to send
2155# requests to. Alternatively, it can be set to the full path of a file that
2156# will read in one IP per line, e.g.:
2157# "/etc/csf/cluster_sendto.txt"
2158CLUSTER_SENDTO = ""
2159
2160# Set this to a comma separated list of cluster member IP addresses to receive
2161# requests from. Alternatively, it can be set to the full path of a file that
2162# will read in one IP per line, e.g.:
2163# "/etc/csf/cluster_recvfrom.txt"
2164CLUSTER_RECVFROM = ""
2165
2166# IP address of the master node in the cluster allowed to send CLUSTER_CONFIG
2167# changes
2168CLUSTER_MASTER = ""
2169
2170# If this is a NAT server, set this to the public IP address of this server
2171CLUSTER_NAT = ""
2172
2173# If a cluster member should send requests on an IP other than the default IP,
2174# set it here
2175CLUSTER_LOCALADDR = ""
2176
2177# Cluster communication port (must be the same on all member servers). There
2178# is no need to open this port in the firewall as csf will automatically add
2179# in and out bound rules to allow communication between cluster members
2180CLUSTER_PORT = "7777"
2181
2182# This is a secret key used to encrypt cluster communications using the
2183# Blowfish algorithm. It should be between 8 and 56 characters long,
2184# preferably > 20 random characters
2185# 56 chars:    01234567890123456789012345678901234567890123456789012345
2186CLUSTER_KEY = ""
2187
2188# Automatically send lfd blocks to all members of CLUSTER_SENDTO. Those
2189# servers must have this servers IP address listed in their CLUSTER_RECVFROM
2190#
2191# Set to 0 to disable this feature
2192CLUSTER_BLOCK = "1"
2193
2194# This option allows the enabling and disabling of the Cluster configuration
2195# changing options --cconfig, --cconfigr, --cfile, --ccfile sent from the
2196# CLUSTER_MASTER server
2197#
2198# Set this option to 1 to allow Cluster configurations to be received
2199CLUSTER_CONFIG = "0"
2200
2201# Maximum number of child processes to listen on. High blocking rates or large
2202# clusters may need to increase this
2203CLUSTER_CHILDREN = "10"
2204
2205###############################################################################
2206# SECTION:Port Knocking
2207###############################################################################
2208# Port Knocking. This feature allows port knocking to be enabled on multiple
2209# ports with a variable number of knocked ports and a timeout. There must be a
2210# minimum of 3 ports to knock for an entry to be valid
2211#
2212# See the following for information regarding Port Knocking:
2213# http://www.portknocking.org/
2214#
2215# This feature does not work on servers that do not have the iptables module
2216# ipt_recent loaded. Typically, this will be with MONOLITHIC kernels. VPS
2217# server admins should check with their VPS host provider that the iptables
2218# module is included
2219#
2220# For further information and syntax refer to the Port Knocking section of the
2221# csf readme.txt
2222#
2223# Note: Run /etc/csf/csftest.pl to check whether this option will function on
2224# this server
2225#
2226# openport;protocol;timeout;kport1;kport2;kport3[...;kportN],...
2227# e.g.: 22;TCP;20;100;200;300;400
2228PORTKNOCKING = ""
2229
2230# Enable PORTKNOCKING logging by iptables
2231PORTKNOCKING_LOG = "1"
2232
2233# Send an email alert if the PORTKNOCKING port is opened. PORTKNOCKING_LOG must
2234# also be enabled to use this option
2235#
2236# SECURITY NOTE: This option is affected by the RESTRICT_SYSLOG option. Read
2237# this file about RESTRICT_SYSLOG before enabling this option:
2238PORTKNOCKING_ALERT = "1"
2239
2240###############################################################################
2241# SECTION:Log Scanner
2242###############################################################################
2243# Log Scanner. This feature will send out an email summary of the log lines of
2244# each log listed in /etc/csf/csf.logfiles. All lines will be reported unless
2245# they match a regular expression in /etc/csf/csf.logignore
2246#
2247# File globbing is supported for logs listed in /etc/csf/csf.logfiles. However,
2248# be aware that the more files lfd has to track, the greater the performance
2249# hit. Note: File globs are only evaluated when lfd is started
2250#
2251# Note: lfd builds the report continuously from lines logged after lfd has
2252# started, so any lines logged when lfd is not running will not be reported
2253# (e.g. during reboot). If lfd is restarted, then the report will include any
2254# lines logged during the previous lfd logging period that weren't reported
2255#
2256# 1 to enable, 0 to disable
2257LOGSCANNER = "0"
2258
2259# This is the interval each report will be sent based on the logalert.txt
2260# template
2261#
2262# The interval can be set to:
2263# "hourly" - sent on the hour
2264# "daily"  - sent at midnight (00:00)
2265# "manual" - sent whenever "csf --logrun" is run. This allows for scheduling
2266#            via cron job
2267LOGSCANNER_INTERVAL = "hourly"
2268
2269# Report Style
2270# 1 = Separate chronological log lines per log file
2271# 2 = Simply chronological log of all lines
2272LOGSCANNER_STYLE = "1"
2273
2274# Send the report email even if no log lines reported
2275# 1 to enable, 0 to disable
2276LOGSCANNER_EMPTY = "1"
2277
2278# Maximum number of lines in the report before it is truncated. This is to
2279# prevent log lines flooding resulting in an excessively large report. This
2280# might need to be increased if you choose a daily report
2281LOGSCANNER_LINES = "5000"
2282
2283###############################################################################
2284# SECTION:Statistics Settings
2285###############################################################################
2286# Statistics
2287#
2288# Some of the Statistics output requires the gd graphics library and the
2289# GD::Graph perl module with all dependent modules to be installed for the UI
2290# for them to be displayed
2291#
2292# This option enabled statistical data gathering
2293ST_ENABLE = "1"
2294
2295# This option determines how many iptables log lines to store for reports
2296ST_IPTABLES = "100"
2297
2298# This option indicates whether rDNS and CC lookups are performed at the time
2299# the log line is recorded (this is not performed when viewing the reports)
2300#
2301# Warning: If DROP_IP_LOGGING is enabled and there are frequent iptables hits,
2302# then enabling this setting could cause serious performance problems
2303ST_LOOKUP = "0"
2304
2305# This option will gather basic system statstics. Through the UI it displays
2306# various graphs for disk, cpu, memory, network, etc usage over 4 intervals:
2307#  . Hourly (per minute)
2308#  . 24 hours (per minute)
2309#  . 7 days (per minute averaged over an hour)
2310#  . 30 days (per minute averaged over an hour) - user definable
2311# The data is stored in /var/lib/csf/stats/system and the option requires the
2312# perl GD::Graph module
2313#
2314# Note: Disk graphs do not show on Virtuozzo/OpenVZ servers as the kernel on
2315# those systems do not store the required information in /proc/diskstats
2316# On new installations or when enabling this option it will take time for these
2317# graphs to be populated
2318ST_SYSTEM = "0"
2319
2320# Set the maximum days to collect statistics for. The default is 30 days, the
2321# more data that is collected the longer it will take for each of the graphs to
2322# be generated
2323ST_SYSTEM_MAXDAYS = "30"
2324
2325# If ST_SYSTEM is enabled, then these options can collect MySQL statistical
2326# data. To use this option the server must have the perl modules DBI and
2327# DBD::mysql installed.
2328#
2329# Set this option to "0" to disable MySQL data collection
2330ST_MYSQL = "0"
2331
2332# The following options are for authentication for MySQL data collection. If
2333# the password is left blank and the user set to "root" then the procedure will
2334# look for authentication data in /root/.my.cnf. Otherwise, you will need to
2335# provide a MySQL username and password to collect the data. Any MySQL user
2336# account can be used
2337ST_MYSQL_USER = "root"
2338ST_MYSQL_PASS = ""
2339ST_MYSQL_HOST = "localhost"
2340
2341# If ST_SYSTEM is enabled, then this option can collect Apache statistical data
2342# The value for PT_APACHESTATUS must be correctly set
2343ST_APACHE = "0"
2344
2345# The following options measure disk write performance using dd (location set
2346# via the DD setting). It creates a 64MB file called /var/lib/dd_write_test and
2347# the statistics will plot the MB/s response time of the disk. As this is an IO
2348# intensive operation, it may not be prudent to run this test too often, so by
2349# default it is only run every 5 minutes and the result duplicated for each
2350# intervening minute for the statistics
2351#
2352# This is not necessrily a good measure of disk performance, primarily because
2353# the measurements are for relatively small amounts of data over a small amount
2354# of time. To properly test disk performance there are a variety of tools
2355# available that should be run for extended periods of time to obtain an
2356# accurate measurement. This metric is provided to give an idea of how the disk
2357# is performing over time
2358#
2359# Note: There is a 15 second timeout performing the check
2360#
2361# Set to 0 to disable, 1 to enable
2362ST_DISKW = "0"
2363
2364# The number of minutes that elapse between tests. Default is 5, minimum is 1.
2365ST_DISKW_FREQ = "5"
2366
2367# This is the command line passed to dd. If you are familiar with dd, or wish
2368# to move the output file (of) to a different disk, then you can alter this
2369# command. Take great care when making any changes to this command as it is
2370# very easy to overwrite a disk using dd if you make a mistake
2371ST_DISKW_DD = "if=/dev/zero of=/var/lib/csf/dd_test bs=1MB count=64 conv=fdatasync"
2372
2373###############################################################################
2374# SECTION:Docker Settings
2375###############################################################################
2376# NOTE: This feature is currently in BETA testing, so may not work correctly
2377#
2378# This section provides the configuration of iptables rules to allow Docker
2379# containers to communicate through the host. If the generated rules do not
2380# work with your setup you will have to use a /etc/csf/csfpost.sh file and add
2381# your own iptables configuration instead
2382#
2383# 1 to enable, 0 to disable
2384DOCKER = "0"
2385
2386# The network device on the host
2387DOCKER_DEVICE = "docker0"
2388
2389# Docker container IPv4 range
2390DOCKER_NETWORK4 = "172.17.0.0/16"
2391
2392# Docker container IPv6 range. IPV6 must be enabled and the IPv6 nat table
2393# available (see IPv6 section). Leave blank to disable
2394DOCKER_NETWORK6 = "2001:db8:1::/64"
2395
2396###############################################################################
2397# SECTION:OS Specific Settings
2398###############################################################################
2399# Binary locations
2400IPTABLES = "/sbin/iptables"
2401IPTABLES_SAVE = "/sbin/iptables-save"
2402IPTABLES_RESTORE = "/sbin/iptables-restore"
2403IP6TABLES = "/sbin/ip6tables"
2404IP6TABLES_SAVE = "/sbin/ip6tables-save"
2405IP6TABLES_RESTORE = "/sbin/ip6tables-restore"
2406MODPROBE = "/sbin/modprobe"
2407IFCONFIG = "/sbin/ifconfig"
2408SENDMAIL = "/usr/sbin/sendmail"
2409PS = "/bin/ps"
2410VMSTAT = "/usr/bin/vmstat"
2411NETSTAT = "/bin/netstat"
2412LS = "/bin/ls"
2413MD5SUM = "/usr/bin/md5sum"
2414TAR = "/bin/tar"
2415CHATTR = "/usr/bin/chattr"
2416UNZIP = "/usr/bin/unzip"
2417GUNZIP = "/bin/gunzip"
2418DD = "/bin/dd"
2419TAIL = "/usr/bin/tail"
2420GREP = "/bin/grep"
2421ZGREP = "/usr/bin/zgrep"
2422IPSET = "/usr/sbin/ipset"
2423SYSTEMCTL = "/usr/bin/systemctl"
2424HOST = "/usr/bin/host"
2425IP = "/sbin/ip"
2426
2427# Log file locations
2428#
2429# File globbing is allowed for the following logs. However, be aware that the
2430# more files lfd has to track, the greater the performance hit
2431#
2432# Note: File globs are only evaluated when lfd is started
2433#
2434HTACCESS_LOG = "/var/log/httpd/error_log"
2435MODSEC_LOG = "/var/log/httpd/error_log"
2436SSHD_LOG = "/var/log/secure"
2437SU_LOG = "/var/log/secure"
2438FTPD_LOG = "/var/log/messages"
2439SMTPAUTH_LOG = "[[exim_log_path]]"
2440POP3D_LOG = "/var/log/maillog"
2441IMAPD_LOG = "/var/log/dovecot-info.log"
2442IPTABLES_LOG = "/var/log/messages"
2443SUHOSIN_LOG = "/var/log/messages"
2444BIND_LOG = "/var/log/messages"
2445SYSLOG_LOG = "/var/log/messages"
2446WEBMIN_LOG = "/var/log/secure"
2447
2448CUSTOM1_LOG = "/var/log/messages"
2449CUSTOM2_LOG = "/var/log/messages"
2450CUSTOM3_LOG = "/var/log/messages"
2451CUSTOM4_LOG = "/var/log/messages"
2452CUSTOM5_LOG = "/var/log/messages"
2453CUSTOM6_LOG = "/var/log/messages"
2454CUSTOM7_LOG = "/var/log/messages"
2455CUSTOM8_LOG = "/var/log/messages"
2456CUSTOM9_LOG = "/var/log/messages"
2457
2458# The following are comma separated lists used if LF_SELECT is enabled,
2459# otherwise they are not used. They are derived from the application returned
2460# from a regex match in /usr/local/csf/bin/regex.pm
2461#
2462# All ports default to tcp blocks. To specify udp or tcp use the format:
2463# port;protocol,port;protocol,... For example, "53;udp,53;tcp"
2464PORTS_pop3d = "110,995"
2465PORTS_imapd = "143,993"
2466PORTS_htpasswd = "80,443"
2467PORTS_mod_security = "80,443"
2468PORTS_mod_qos = "80,443"
2469PORTS_symlink = "80,443"
2470PORTS_suhosin = "80,443"
2471PORTS_cxs = "80,443"
2472PORTS_bind = "53;udp,53;tcp"
2473PORTS_ftpd = "20,21"
2474PORTS_webmin = "10000"
2475PORTS_smtpauth = "25,465,587"
2476PORTS_eximsyntax = "25,465,587"
2477# This list is replaced, if present, by "Port" definitions in
2478# /etc/ssh/sshd_config
2479PORTS_sshd = "22"
2480
2481# This configuration is for use with generic Linux servers, do not change the
2482# following setting:
2483GENERIC = "1"
2484
2485# For internal use only. You should not enable this option as it could cause
2486# instability in csf and lfd
2487DEBUG = "0"
2488###############################################################################